Knowledge Search


[NFX] Route not listed in route forwarding-table of IPSec-NM

  [KB33626] Show Article Properties


After adding route configuration to IPSec Network Manager (IPSec-NM), users may find that a route is missing in the forwarding table or that the forwarding-table is empty or that the forwarding table itself is missing.

This article indicates what must be done to troubleshoot the issue.


The following symptoms are observed:

  • Unable to pass traffic via IPSec-NM

  • Unable to establish VPN via IPSec-NM

  • srxpfe daemon is not running on IPSec-NM

  • Deactivate IPSec-NM, then activate IPSec-NM did not help


The route forwarding-table can be missing or empty due to srxpfe or monit process daemon not running.


Check to verify that if srxpfe or monit process daemon is running. You can check this by running the following command in the ipsec-nm shell:

ps aux | grep srxpfe

The following is an example of ipsec-nm where srxpfe is running:

root@ipsec-nm%ps aux | grep srxpfe
root        94 15.2  0.9 2262256 147124 ?      Sl   Apr23 237:14 /usr/sbin/srxpfe -a -d
root      6692  0.0  0.0   4400   396 pts/0    S+   00:23   0:00 grep srxpfe

Unfortunately, if you run into this situation where the srxpfe process is NOT running on the IPSec-NM, the only resolution is to reboot the NFX device again.

NoteIf you deactivate/activate IPSec-NM from the Juniper Device Manager (JDM), you will see a core dump on IPSec-NM, and the srxpfe daemon will not start.  You will have to reboot the entire NFX.  This is a known product limitation.

Modification History:
2019-08-02: added deactivate / activate note to solution section
Related Links: