[SRX] Resolution Guide - How to troubleshoot a VPN tunnel that is down or not active

Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.

For the flowchart version of these steps, click the flowchart icon:

Step 1. What type of VPN tunnel are you having trouble with?

Site-to-site (LAN-to-LAN) VPN - Continue with Step 2.

Remote Access IPsec VPN or Client-to-LAN VPN

For SRX Branch Series, see KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

For SRX1400, SRX3400, SRX3600, SRX5600, SRX5800 and J Series devices, continue with Step 2.

Is the VPN tunnel's SA (Security Association) active? In other words, is the VPN's Phase 2 up?

Run the command show security ipsec security-associations.

Locate the Gateway address of the VPN in question. If the remote gateway is not displayed, then the VPN SA is not active.

For more information about how to tell, consult: KB10090 - [J/SRX] How do I tell if a VPN Tunnel SA (Security Association) is active?.

user@CORPORATE> show security ipsec security-associations  
   total configured sa: 2
   ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
   <32785 2.2.2.2         1398  ESP:3des/sha1   29e26eba 28735/unlim   -   0
   >32785 2.2.2.2         1398  ESP:3des/sha1   6d4e790b 28735/unlim   -   0
   total configured sa: 2
   ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
   <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   U   0
   >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   U   0

No (SA is not listed) - Continue to Step 3.

Yes (SA is listed, so Phase 2 is up) - If traffic is not passing, consult: KB10093 - How to troubleshoot a VPN that is up, but is not passing traffic.

Sometimes - SA is bouncing between active and inactive - Consult: KB10096 - How to troubleshoot a VPN tunnel that is going up and down.

Step 3. Is the VPN tunnel's IKE Phase 1 up?

Run the command show security ike security-associations.

Locate the Remote Address of the VPN in question, and verify that the State is UP.

For more information, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active?.

user@CORPORATE> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
1       2.2.2.2         UP     744a594d957dd513  1e1307db82f58387  Main
2       3.3.3.3         UP     744a594d957dd513  1e1307db82f58387  Main

No (Remote Address is not listed or State is DOWN) - Continue to Step 4.

Yes (State is UP) - Jump to Step 5.

[Phase 1 not up] Analyze the IKE phase 1 messages on the responder for a solution.

Consult: KB10101 - How to analyze IKE Phase 1 VPN connection messages.

If you can't find your solution in the logs on the responder side, jump to Step 6.

Step 5 [Phase 2 not up] Analyze the phase 2 messages on the responder for a solution.

Consult: KB10099 - How to analyze IKE Phase 2 VPN status messages.

If you can't find your solution in the logs on the responder side, then continue to Step 6.

Step 6. Analyze Phase 1 or Phase 2 logs for this VPN tunnel on the initiating VPN device.

If you can't find your solution in the logs on the initiating side, then continue to Step 7.

Step 7 If still not resolved, collect logs, flow traceoptions, IKE traceoptions, and open a case with your technical support representative.

Consult:

Logs: KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting. See the IPsec VPN Policy-based or Route-based sections.

Flow traceoptions: KB16233 – [SRX] How to use 'flow traceoptions' and the 'security datapath-debug'

IKE traceoptions: KB19943 – [SRX] How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)

See the Related Links section for more configuration and troubleshooting resources.

Knowledge Base