Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up

0

0

Article ID: KB9221 KB Last Updated: 29 Jul 2020Version: 18.0
Summary:

This article will help determine the reason a VPN won't become active and establish a Tunnel between two VPN devices. Follow the steps until the problem is resolved or a case needs to be opened with JTAC (Juniper Technical Assistance Center). 

Symptoms:

How to troubleshoot a VPN that won't come up

Scenarios:

  • A new LAN-to-LAN VPN tunnel between two NetScreen firewalls is not working

  • A new LAN-to-LAN VPN tunnel between a NetScreen and an OEM VPN device is not working.

  • An existing LAN-to-LAN VPN tunnel that was working until a change was made.

To see an overview of all VPN Resolution Guides: Firewall VPN Configuration & Troubleshooting Resolution Guides

Solution:

To view the flowchart for the steps listed below, select: KB9221 Flowchart

Use the following steps to assist with resolving a VPN Tunnel that will not come active:

  1. Is the VPN Tunnel's SA Active? For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

  2. Are there any IKE Phase 1 or 2 messages on the Responder VPN Firewall? 

    Check the responder firewall for IKE Phase 1 or Phase 2 messages received from the initiating firewall.  The responder is the "receiver" side of the VPN that is being pinged, receiving the tunnel set up requests, or receiving the tunneled traffic. The initiator is the side of the VPN from which the ping or traffic is generated.  For assistance, see KB4426 - How do I Find the VPN Entry in the Event Log?
    • Yes - Jump to Step 5.
    • No   - If there are no IKE Phase 1 or 2 messages in the event logs for this tunnel, go to the other VPN device (the initiator) and determine if there are any IKE Phase 1 or 2 messages in its event logs.  Continue with Step 4.
  3. Are there any IKE Phase 1 or 2 messages in the Initiating VPN Firewall?

  4. Are there any IKE Phase 2 error messages for this VPN Tunnel in the Event Logs?

  5. Are there any IKE Phase 1 error messages for this VPN Tunnel in the Event Logs?

  6. Collect Site-to-Site logs from the units at both ends of the VPN and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - How to Collect Logs for a Failing Site-to-Site VPN and Open a New Case.

Modification History:
2020-07-29: Minor, non-technical edits.
2020-01-29: Article reviewed for relevance and accuracy; references to NetScreen Remote removed
2019-07-04: Article reviewed for accuracy and validity; article found to be relevant and up-to-date

 

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search