Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to troubleshoot a site-to-site VPN where the SA is Up but the Monitor status is Down on the device



Article ID: KB10104 KB Last Updated: 26 Mar 2020Version: 10.0

This article describes how to troubleshoot a site-to-site VPN where the SA is Up but the Monitor status is Down on an SRX Series device.


Symptoms and Errors

  • Traffic is not passing through the tunnel.
  • The tunnel's SA is UP, but the Monitor status is Down.
> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173356 ESP:aes-cbc-128/sha1 5895f48b 2086/ unlim D root 54017
>268173356 ESP:aes-cbc-128/sha1 16693188 2086/ unlim D root 54017

Perform the procedure below to troubleshoot a VPN Tunnel in which the SA is Active but the Monitor status is Down. (To view a flowchart of the procedure, see KB10104.)

Step 1.  Is this a Site-to-Site (or LAN-to-LAN) VPN?  (A Site-to-Site VPN runs between two Juniper VPN devices or a Juniper VPN device and an OEM VPN device. A Site-to-Site VPN does not run between the Juniper VPN device and a PC client running VPN software.)

Step 2.  Is the IKE SA (Security Association) UP? Is the Mon Status DOWN?  (For assistance, see KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is active on a J Series or SRX Series device?.)

Step 3.  Is the VPN Monitor "Optimized" feature enabled for this VPN?  (For assistance, see KB10118 - How do you enable the optimized feature of VPN Monitor on a J Series or SRX Series device, and what does it do?)

  • Yes - Proceed to Step 4.
  • No  - Enable the VPN Monitor "Optimize" setting and test the VPN connection again.  
Step 4  Temporarily disable the VPN Monitor (to further troubleshoot the issue).
  • From J-Web: Go to Configure > IPSec VPN >Auto Tunnel > Phase II >Auto Key VPN and uncheck the Enable VPN monitor box. 
  • From CLI: Enter this command: deactivate security ipsec vpn <vpn_name> vpn-monitor.

Step 5  With the VPN Monitor disabled, is the policy passing data? (For assistance with enabling logging, consult: KB10112 - Configuring the Junos Traffic Log.

Step 6.  Is the remote VPN connection a non-Juniper VPN Firewall device, or is the remote VPN device configured to block ICMP Echo Requests?

Step 7  Collect logs and open a case with JTAC (Juniper Technical Assistance Center). (For assistance, see KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting.)

Modification History:
2020-03-26: Article reviewed for accuracy; it is valid and accurate

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search