Knowledge Search


×
 

[J/SRX] Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active

  [KB10100] Show Article Properties


Summary:

This article will help determine the reason why an IPsec VPN is not active and not passing data.


Symptoms:
  • How to troubleshoot a site-to-site VPN tunnel that won't establish
  • IPsec VPN tunnel is down or inactive
  • VPN is not working

Cause:

Solution:

Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.

For the flowchart version of these steps, click the flowchart icon:

Step 1.  What type of VPN tunnel are you having trouble with?


Step 2.  Is the VPN tunnel's SA (Security Association) active?  In other words, is the VPN's Phase 2 up? 

Run the command 'show security ipsec security-associations’.
Locate the 'Gateway' address of the VPN in question. If the remote gateway is not displayed, then the VPN SA is not active.
For more information on how to tell, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active?.

    user@CORPORATE> show security ipsec security-associations  
      total configured sa: 2
      ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
      <32785 2.2.2.2         1398  ESP:3des/sha1   29e26eba 28735/unlim   -   0
      >32785 2.2.2.2         1398  ESP:3des/sha1   6d4e790b 28735/unlim   -   0
      total configured sa: 2
      ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
      <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   U   0
      >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   U   0 

Step 3.  Is the VPN tunnel's IKE Phase 1 up? 

Run the command 'show security ike security-associations’.
Locate the 'Remote Address' of the VPN in question, and verify that the State is UP.
For more information, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is up/active?.

    user@CORPORATE> show security ike security-associations
    Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
    1       2.2.2.2         UP     744a594d957dd513  1e1307db82f58387  Main
    2       3.3.3.3         UP     744a594d957dd513  1e1307db82f58387  Main
  • No (Remote Address is not listed or State is DOWN) - Continue to Step 4

  • Yes (State is UP) - Jump to Step 5.

Step 4.  [Phase 1 not up]  Analyze the IKE phase 1 messages on the responder for a solution.
      
Consult: KB10101 - How to analyze IKE Phase 1 VPN status messages.

       If you can't find your solution in the logs on the responder side, jump to Step 6


Step 5   [Phase 2 not up]  Analyze the phase 2 messages on the responder for a solution.
       
Consult: KB10099 - How to analyze IKE Phase 2 VPN status messages.

        If you can't find your solution in the logs on the responder side, then continue to Step 6.


Step 6.  Analyze 'Phase 1' or 'Phase 2' logs for this VPN tunnel on the initiating VPN device.

        If you can't find your solution in the logs on the initiating side, then continue to Step 7.


Step 7  If still not resolved, collect logs, flow traceoptions, IKE traceoptions, and open a case with your technical support representative.

Consult:
Logs: KB21781 - [SRX] Data Collection Checklist. See the IPsec VPN Policy-based or Route-based sections.
Flow traceoptions: KB16233 – How to use ‘Flow Traceoptions’ and the ‘security datapath-debug’ in SRX series
IKE traceoptions: KB19943 – [J/SRX] How to enable IKE traceoptions for only specific security associations


See the Related Links section for more configuration and troubleshooting resources.


Related Links: