Knowledge Search


×
 

[ScreenOS] How to troubleshoot a Site-to-Site VPN that does not come up and no messages are present in the event logs

  [KB9217] Show Article Properties


Summary:

The article provides information on how to troubleshoot a Site-to-Site (LAN-to-LAN) VPN that displays no IKE messages in the Event logs. 

Symptoms:

Symptoms and errors:

  • The VPN tunnel does not come up.
  • The SA (Security Association) is not active.
  • The VPN is not passing data. 
  • There are no Phase 1 or Phase 2 IKE messages in the Event logs.
Solution:

To view the flowchart for the following procedure, refer to KB9217 Flowchart.

Use the following procedure to resolve the issue of the VPN Tunnel not being active and no Phase 1 or Phase 2 messages being generated in the event logs.  This procedure should be performed on the initiating firewall; unless otherwise specified (the initiating firewall is the side of the VPN, from which the traffic is being generated).

Note: Depending on the VPN configuration, you may have to initiate traffic through the tunnel, before it becomes active. 

  1. Is this a Policy-Based or Route-Based VPN?   For further assistance, refer to KB4124 - Policy Based VPN vs. Route Based VPN. Which one do I have configured?
    • Policy-Based - Continue with Step 2
    • Route-Based - Jump to Step 4.
  2. Are the VPN Tunnel policies in the correct policy order?  For further assistance, refer to KB6629 - How to change the order of the policies and why that is important?
    • Yes - Continue with Step 3
    • No   - Try placing the VPN policies at the top of each zone list and then ping across the tunnel or try the VPN connection again. 
  3. Is the VPN Gateway configured to use the correct outgoing interface?  For further assistance, see KB4409 - How Do I Ensure That the Outgoing VPN Interface Configured in Phase 1 Matches? .
    • Yes - Jump to Step 9.
    • No   - The IKE Gateway's outgoing interface cannot be changed.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it is using the new gateway.
  4.   Does a route exist for the tunnel interface?  For further assistance, see KB6723 - How to check if an IP is reachable from the NetScreen?
  5. Is the tunnel interface bound to the AutoKey IKE for this VPN?  An interface bound to more than one VPN, could cause this symptom too. 
    • Yes - Continue with Step 6
    • No   - Bind the tunnel interface to the AutoKey IKE for this tunnel.  To do this through the WebUI:
      • Click on VPNs -> AutoKey IKE
      • Find the AutoKey IKE for the tunnel in question and click Edit.
      • Click on the Advanced button.
      • In the Bind to section, click on Tunnel Interface.
      • Use the pull down menu and select the Tunnel interface you created for this tunnel.
      • Click Return.  Click OK.
  6. Is the VPN Gateway configured to use the correct outgoing interface?  For further assistance, see KB4409 - How Do I Ensure That the Outgoing VPN Interface Configured in Phase 1 Matches? .
    • Yes - Continue with Step 7
    • No   - The IKE Gateway's outgoing interface cannot be changed.  Create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that it is using the new gateway.
  7. Is there a policy that allows traffic to the zone where the tunnel interface exists? 
  8. Is the remote gateway reachable?
    • Yes - Continue with Step 9
    • No- If the remote gateway is not reachable, check the route.  If the route is in place, check for connectivity between the gateways. Check if the IKE traffic is being blocked in between them.
  9. Collect data and contact support. For assistance with collecting information, refer to KB9229 - What information should I collect for a Site-to-Site VPN that won’t come up?   When the data has been collected, open a Service Request online via the Service Request Manager OR by Contacting Support.
Modification History:
2019-05-22: Content reviewed for accuracy
Related Links: