This article will help determine the reason an IPsec VPN is not active and not passing data, and help resolve the issue.
Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.
For the flowchart version of these steps, click the flowchart icon:
|
 |
What type of VPN tunnel are you having trouble with?
Is the VPN tunnel's SA (Security Association) active? In other words, is the VPN's Phase 2 up?
Run the command show security ipsec security-associations
.
Locate the Gateway address of the VPN in question. If the remote gateway is not displayed, then the VPN SA is not active.
For more information about how to tell, consult: KB10090 - [J/SRX] How do I tell if a VPN Tunnel SA (Security Association) is active?.
user@CORPORATE> show security ipsec security-associations
total configured sa: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<32785 2.2.2.2 1398 ESP:3des/sha1 29e26eba 28735/unlim - 0
>32785 2.2.2.2 1398 ESP:3des/sha1 6d4e790b 28735/unlim - 0
total configured sa: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<32786 3.3.3.3 500 ESP:3des/sha1 5c13215d 28782/unlim U 0
>32786 3.3.3.3 500 ESP:3des/sha1 18f67b48 28782/unlim U 0
Is the VPN tunnel's IKE Phase 1 up?
Run the command show security ike security-associations
.
Locate the Remote Address of the VPN in question, and verify that the State is UP.
For more information, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active?.
user@CORPORATE> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
1 2.2.2.2 UP 744a594d957dd513 1e1307db82f58387 Main
2 3.3.3.3 UP 744a594d957dd513 1e1307db82f58387 Main
[Phase 1 not up] Analyze the IKE phase 1 messages on the responder for a solution.
Consult: KB10101 - How to analyze IKE Phase 1 VPN connection messages.
If you can't find your solution in the logs on the responder side, jump to Step 6.
[Phase 2 not up] Analyze the phase 2 messages on the responder for a solution.
Consult: KB10099 - How to analyze IKE Phase 2 VPN status messages.
If you can't find your solution in the logs on the responder side, then continue to Step 6.
Analyze Phase 1 or Phase 2 logs for this VPN tunnel on the initiating VPN device.
If you can't find your solution in the logs on the initiating side, then continue to Step 7.
If still not resolved, collect logs, flow traceoptions, IKE traceoptions, and open a case with your technical support representative.
Consult:
See the Related Links section for more configuration and troubleshooting resources.
2020-06-25: Article reviewed for accuracy; no changes required; article still relevant and used in conjunction with the VPN resolution guide: KB21898 - [SRX] Configuring Web-Authentication using secure ID in Dynamic VPN