Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I tell if a VPN Tunnel SA (Security Association) is active?



Article ID: KB6134 KB Last Updated: 20 Mar 2020Version: 11.0

How do I interpret the status (Sta) field in the output of the get sa command?  Determining if the SA is active or not will help you determine if the tunnel is up or not.  Check status of tunnel.

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.

How do I tell if a VPN Tunnel SA (Security Association) is active?
How do I check status of the tunnel?

To check the status of the tunnel, use either the CLI or the WebUI.

To view the tunnel status via the WebUI, go to VPNs > Monitor Status

To view the status of the tunnel via CLI,

  1. Telnet/SSH/Console into the Firewall. 
  2. Once logged in, enter get sa; and then press [enter].


    Paris-> get sa
    total configured sa: 1
    HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
    00000001< 500  esp:3des/sha1 e37791d2 expir    unlim I/I 2 0
    00000001> 500  esp:3des/sha1 883ebdb7 expir    unlim I/I 1 0

    Paris-> get sa
    total configured sa: 1
    HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
    00000001< 500  esp:3des/sha1 e37791d3 3596     unlim A/- 2 0
    00000001> 500  esp:3des/sha1 883ebdb8 3596     unlim A/- 1 0 

    In the case of multiple VPN Tunnels, search through the Gateway column for the IP address of the Remote Gateway of the tunnel in question. 

  3. Locate the 'Sta' column.  This column displays the tunnel status.
    • The first character displays whether the VPN tunnel is Active or Inactive.
    • The second character (after the slash) displays the Link status thru the VPN Monitor feature.

    Possible values found in the Sta column:

    • I/I:    VPN tunnel is Inactive
    • A/-:  VPN tunnel is Active, and VPN Monitor is not configured
    • A/U: VPN tunnel is Active, and the link (detected through VPN Monitor) is UP
    • A/D: VPN tunnel is Active, but the link (detected through VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.  This could be happening because the device that is being pinged is down or has ping disabled.  This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

    Note: Both A/- and A/U are positive states that your tunnel is up.  Data will not pass through a tunnel when the status is I/I or A/D.


To check only the active SAs, run the command: get sa active

Paris-> get sa active
Total active sa: 0
total configured sa: 0
HEX ID        Gateway   Port   Algorithm            SPI                 Life:sec kb                  Sta        PID   vsys

If the only column headings are displayed (as shown below), no SA has been created and there are no active tunnels:

Paris-> get sa
total configured sa: 0
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys

This is typically caused by an incomplete VPN configuration. 


For configuration assistance and examples consult the Concepts & Examples ScreenOS Reference Guide: Part 5 VPNs.  Refer to the'Site-to-Site Virtual Private Networks' section for configuration examples.  

Refer to ScreenOS Documentation, Release 6.3.0 for the complete set of reference material.

Modification History:
2020-03-20: Minor, non-technical update.
2019-06-18: Article reviewed for accuracy. Minor changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search