Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active

0

0

Article ID: KB10100 KB Last Updated: 25 Jun 2020Version: 17.0
Summary:

This article will help determine the reason an IPsec VPN is not active and not passing data, and help resolve the issue.

 

Symptoms:
  • How to troubleshoot a site-to-site VPN tunnel that won't establish.

  • IPsec VPN tunnel is down or inactive.

  • VPN is not working.

 

Solution:

Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.

For the flowchart version of these steps, click the flowchart icon:

 

Step 1. What type of VPN tunnel are you having trouble with?

 

Step 2. Is the VPN tunnel's SA (Security Association) active? In other words, is the VPN's Phase 2 up? 

Run the command show security ipsec security-associations.

Locate the Gateway address of the VPN in question. If the remote gateway is not displayed, then the VPN SA is not active.

For more information about how to tell, consult: KB10090 - [J/SRX] How do I tell if a VPN Tunnel SA (Security Association) is active?.

user@CORPORATE> show security ipsec security-associations  
   total configured sa: 2
   ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
   <32785 2.2.2.2         1398  ESP:3des/sha1   29e26eba 28735/unlim   -   0
   >32785 2.2.2.2         1398  ESP:3des/sha1   6d4e790b 28735/unlim   -   0
   total configured sa: 2
   ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
   <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   U   0
   >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   U   0 
 

Step 3. Is the VPN tunnel's IKE Phase 1 up? 

Run the command show security ike security-associations.

Locate the Remote Address of the VPN in question, and verify that the State is UP.

For more information, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active?.

user@CORPORATE> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
1       2.2.2.2         UP     744a594d957dd513  1e1307db82f58387  Main
2       3.3.3.3         UP     744a594d957dd513  1e1307db82f58387  Main
  • No (Remote Address is not listed or State is DOWN) - Continue to Step 4.

  • Yes (State is UP) - Jump to Step 5.

 

Step 4. [Phase 1 not up] Analyze the IKE phase 1 messages on the responder for a solution.

Consult: KB10101 - How to analyze IKE Phase 1 VPN connection messages.

If you can't find your solution in the logs on the responder side, jump to Step 6

 

Step 5 [Phase 2 not up] Analyze the phase 2 messages on the responder for a solution.

Consult: KB10099 - How to analyze IKE Phase 2 VPN status messages.

If you can't find your solution in the logs on the responder side, then continue to Step 6.

 

Step 6. Analyze Phase 1 or Phase 2 logs for this VPN tunnel on the initiating VPN device.

If you can't find your solution in the logs on the initiating side, then continue to Step 7.

 

Step 7 If still not resolved, collect logs, flow traceoptions, IKE traceoptions, and open a case with your technical support representative.

Consult:

See the Related Links section for more configuration and troubleshooting resources.

 

Modification History:

2020-06-25: Article reviewed for accuracy; no changes required; article still relevant and used in conjunction with the VPN resolution guide: KB21898 - [SRX] Configuring Web-Authentication using secure ID in Dynamic VPN

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search