Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to Troubleshoot a VPN that is up, but, is not Passing Traffic?



Article ID: KB9276 KB Last Updated: 18 Mar 2020Version: 11.0

Although the VPN tunnel status is up, several factors can prevent traffic from passing through the tunnel.  This article will help identify what might be preventing the data from passing across the VPN.

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.



The VPN appears to be up, but it is not passing traffic in one or both directions.



To view the flowchart for the steps listed below, select this link:  KB9276 Flowchart

Use the following steps to troubleshoot a VPN Tunnel that is Up but not passing data:

Step 1  Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Up?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

 Step 2  Is traffic failing to pass in both or one direction? 

To confirm which direction the traffic is failing, try pinging from a device on one LAN to the Trust interface of the other LAN. Example:  Using the drawing below, from device ping

Then do the same from a device on the other side of the tunnel; from ping   Note which direction, if either, is successful and continue with Step 3.   

Step 3  Is this a Route-Based VPN or a Policy-Based VPN?  For assistance, see KB4124 - [ScreenOS] What is the difference between a Policy-based VPN and a Route-based VPN?

  • Route-Based VPN - Continue with Step 4
  • Policy-Based VPN - Jump to Step 8

Step 4  Perform this step from the firewall that is not passing traffic. Does a route exist to the Tunnel Interface?  For assistance, see KB6723 - [ScreenOS] How do I Check if an IP Address is reachable from the Juniper Firewall device?

Step 5  Is the outgoing  interface for the route the correct tunnel interface? The outgoing interface is the interface used to terminate the VPN tunnel on the local device.

  • Yes - Continue with Step 6.
  • No   - Change route to point to correct tunnel interface and test again.
    Example:  set vrouter trust-vr route interface tunnel.1
Step 6  Is the Tunnel Interface bound to the correct VPN? 
  • Yes - Continue with Step 7.
  • No / Don't know  - Bind the tunnel interface to the AutoKey IKE for this tunnel. 
    Example: set vpn "vpn name" bind interface tunnel.1

    To do this through the WebUI:
    • Click on VPNs -> AutoKey IKE
    • Find the AutoKey IKE for the tunnel in question and click Edit.
    • Click on the Advanced button.
    • In the Bind to section, click on Tunnel Interface.
    • Use the pull down menu and select the Tunnel interface you created for this tunnel.
    • Click Return.  Click OK.

Step 7  Is there a policy that allows traffic to the zone where the tunnel interface exists?  For further assistance, see KB6551 - Is a policy required for a Route-Based VPN?

Step 8  For Policy-based VPN, is there a tunnel policy for the VPN?  Example: set policy from trust to untrust Any tunnel vpn <vpn-name> permit

Step 9 Is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Juniper Firewall Traffic Log (Policy Log).

Step 10 Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - [ScreenOS] What information should I collect for a Site-to-Site VPN that won't come up? or KB9395 - What Information Should Be Collected for a Dial-UP VPN That Won’t Come Up?


Modification History:

2020-03-18: Minor grammatical corrections made; article checked for accuracy and found to be valid and relevant


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search