Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to troubleshoot a VPN that is up, but is not passing traffic



Article ID: KB10093 KB Last Updated: 29 Jun 2020Version: 12.0

Although the VPN tunnel status is active, several factors can prevent traffic from passing through the tunnel.  This article helps identify what might be preventing the data from passing through the VPN.

This article is part of the troubleshooting guide: KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active.


The VPN is up, but it is not passing traffic in one or both directions.


Use the following steps to troubleshoot a VPN tunnel that is active, but not passing data:

Note: If your VPN is down, then go to KB10100 - Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active. If your VPN is going up and down, then proceed with the following steps.

Step three Is the IPsec SA (Security Association) listed in ‘show security ipsec security-associations’?

If it is not listed, then the SA is not active or UP.

For assistance, consult: KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is active?

Step two Is the VPN using the loopback Lo0 as external-interface?

root> show configuration security ike
policy ike_pol {
   proposal-set compatible;
   pre-shared-key ascii-text "$9$tMwDuIESreWX7yr4aGDkqIEhcvWbs2";
gateway gate1 {
  ike-policy ike_pol;
  external-interface lo0.0;

  • Yes - Continue with Step 3.
  • No - Jump to Step 4.

Step two  Are the egress interface, based on route to destination, and lo0 used as the VPN external-interface in the same security-zone?

Step two Is this a route-based VPN or a policy-based VPN?

For information on how to tell, consult: KB10105 - What is the difference between a policy-based VPN and a route-based VPN?.

  • Route-based VPN - Continue with Step 5.
  • Policy-based VPN - Jump to Step 8.

Step three [Route-based VPN] Does a route for the remote network exist via the st0 interface in ‘show route <remote network>’?

root@siteA > show route
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both    *[Static/5] 00:00:53
                           > via st0.0  <----------


Step three [Route-based VPN] Looking at the route located in Step 3, is the next-hop for the route pointing to the correct st0 interface? 

a. First, locate the IKE Gateway using 'show security ike'

root@siteA # show security ike
gateway gw-siteB {        <---------
     ike-policy ike-phase1-policy;
     external-interface ge-0/0/3.0;

b. Then locate the IPsec VPN for that IKE Gateway using 'show security ipsec'

root@siteA # show security ipsec
vpn ike-vpn-siteB {     
    bind-interface st0.0;
      ike {
         gateway gw-siteB;      <---------
         proxy-identity {
             service any;
          ipsec-policy ipsec-phase2-policy;
     establish-tunnels immediately;

c. Review the bind-interface located in step 4b to locate the st0 interface.
    In this example, the VPN ike-vpn-siteB is pointing to the st0.0 interface.

Step five [Route-based VPN] Is there a security policy that allows traffic from the internal zone to the st0 security zone in ‘show security policies’?

Step six [Policy-based VPN] Is there a VPN tunnel security policy to allow traffic in ‘show security policies’?

root@siteA# show security policies
from-zone trust to-zone untrust {
    policy vpn_egress {
        match {
            source-address local-net;
            destination-address remote-net;
            application any;
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC;  <----------

from-zone untrust to-zone trust {
    policy vpn_ingress {
        match {
            source-address remote-net;
            destination-address local-net;
            application any;
        then {
            permit {
                tunnel {                      <----------
                    ipsec-vpn ike-vpn-siteC;  <----------


Step seven Is the traffic matching the policy identified in Step 7 or 8?

Use the operational command 'show security flow session source prefix <source address> destination prefix <destination address>' to locate the matched policy.

root@siteA> show security flow session source-prefix destination-prefix

Session ID: 5801, Policy name: AtoB/2, Timeout: 1790, Valid
In: -->;icmp, If: fe-0/0/2.0, Pkts: 59878, Bytes: 4602292
Out: -->;icmp, If: st0.0, Pkts: 52505, Bytes: 4189289


Step eight Collect logs and flow traceoptions, and open a case with your technical support representative.

Consult: KB21781 - [SRX] Data Collection Checklist. (See the IPsec VPN Policy-based or Route-based VPN sections.)

For flow traceoptions information, consult: KB16233 – How to use ‘Flow Traceoptions’ and the ‘security datapath-debug’ in SRX series.


Modification History:
2020-06-29: Removed J-Series references.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search