Knowledge Search


×
 

[ScreenOS] How to Troubleshoot a VPN that is up, but, is not Passing Traffic

  [KB9276] Show Article Properties


Summary:

Although the VPN tunnel status is up, several factors can prevent traffic from passing through the tunnel.  This article will help identify what might be preventing the data from passing across the VPN.

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.


Symptoms:
The VPN appears to be up, but it is not passing traffic in one or both directions.
Cause:

Solution:

To view the flowchart for the steps listed below, select this link:  KB9276 Flowchart

Use the following steps to troubleshoot a VPN Tunnel that is Up but not passing data:

Step 1  Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Up?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

 Step 2  Is traffic failing to pass in both or one direction? 

To confirm which direction the traffic is failing, try pinging from a device on one LAN to the Trust interface of the other LAN. Example:  Using the drawing below, from device 192.168.10.10 ping 192.168.20.10:

Then do the same from a device on the other side of the tunnel; from 192.168.20.20 ping 192.168.10.10.   Note which direction, if either, is successful and continue with Step 3.   

Step 3  Is this a Route-Based VPN or a Policy-Based VPN?  For assistance, see KB4124 - Policy-Based VPN vs. Route-Based VPN.

  • Route-Based VPN - Continue with Step 4
  • Policy-Based VPN - Jump to Step 8

Step 4  Perform this step from the firewall that is not passing traffic. Does a route exist to the Tunnel Interface?  For assistance, see KB6723 - How to Check if an IP is Reachable from the NetScreen.

Step 5  Is the outgoing  interface for the route the correct tunnel interface? The outgoing interface is the interface used to terminate the VPN tunnel on the local device.

  • Yes - Continue with Step 6.
  • No   - Change route to point to correct tunnel interface and test again.
    Example:  set vrouter trust-vr route 192.168.20.0/24 interface tunnel.1
Step 6  Is the Tunnel Interface bound to the correct VPN? 
  • Yes - Continue with Step 7.
  • No / Don't know  - Bind the tunnel interface to the AutoKey IKE for this tunnel. 
    Example: set vpn "vpn name" bind interface tunnel.1

    To do this through the WebUI:
    • Click on VPNs -> AutoKey IKE
    • Find the AutoKey IKE for the tunnel in question and click Edit.
    • Click on the Advanced button.
    • In the Bind to section, click on Tunnel Interface.
    • Use the pull down menu and select the Tunnel interface you created for this tunnel.
    • Click Return.  Click OK.

Step 7  Is there a policy that allows traffic to the zone where the tunnel interface exists?  For further assistance, see KB6551 - Is a policy needed for a Route-Based VPN? .

Step 8  For Policy-based VPN, is there a tunnel policy for the VPN?  Example: set policy from trust to untrust 192.168.10.0/24 192.168.20.0/24 Any tunnel vpn <vpn-name> permit

Step 9 Is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.

Step 10 Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic? or KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?

Related Links: