Knowledge Search


×
 

[ScreenOS] How to troubleshoot a VPN tunnel that is going up and down

  [KB9488] Show Article Properties


Summary:

This article will help you determine the reason why your VPN Tunnel between two VPN devices is going up and down. Follow the steps until the problem is resolved or a case needs to be opened with JTAC (Juniper Technical Assistance Center). 

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.


Symptoms:

I have a LAN-to-LAN VPN tunnel or a Dial-up VPN that is going up and down.  How do I troubleshoot it?

 

Cause:

Solution:

To view the flowchart for the steps listed below, select this link:  KB9488 Flowchart

Use the following steps to assist with resolving a VPN Tunnel that is going Up and Down.

Step 1.  Is the alarm event log reporting that the VPN is up and down repeatedly?   (From WebUI, view 'The most recent alarms' box on the Home page, or from the CLI enter the command 'get alarm event | inc vpn'. Below is a sample an alarm event.)

2007-01-18 14:33:49 crit VPN 'jnpr' from 192.127.94.72 is up.
2007-01-18 14:33:48 crit VPN 'jnpr' from 192.127.94.72 is down.
2007-01-18 13:03:59 crit VPN 'jnpr' from 192.127.94.72 is up.
2007-01-18 13:03:38 crit VPN 'jnpr' from 192.127.94.72 is down.
  • Yes - Continue with Step 2.
  • No messages, but the VPN is going Up/Down  - Jump to Step 6.

Step 2. Does the issue affect All configured VPNs or One?

  • All VPNs - Investigate for errors associated with the Internet connection and on the firewall and switch interfaces.  To check for errors on the firewall interface:
    • From WebUI: view Reports > Counters > Hardware and select the interface associated with the VPN
    • From the CLI: enter the command 'get counter stat interface <interface>, specifying the interface associated with the VPN. ) 
    For Assistance, consult KB5347 - Troubleshooting Ethernet and Fragmentation Issues
  • One VPN  - Continue with Step 3.

Step 3.  Is the VPN Monitor 'Optimized' feature enabled for this VPN?  For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.

  • Yes - Continue with Step 4.
  • No   - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.  

Step 4.  Temporarily disable VPN Monitor to see if the VPN stays up and data passes thru the VPN.  (For assistance, from the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn <vpn> monitor command for the VPN in question, i.e. unset vpn <vpn> monitor. )

Is the VPN stable now?

  • Yes - The instability is related to the VPN Monitor configuration.  Confirm if the ISP is not blocking ESP traffic and then Continue with Step 5.
  • No   - Jump to step 8.

Step 5.  Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?

Step 6. Was the VPN stable for a period of time and now it is going up and down?

  • Yes - Investigate for network or device changes or if any new network equipment has been added to the environment. If so, confirm changes/additions are correct.  If the VPN is still unstable, continue onto Step 7.
  • No   - Continue with Step 7.

Step 7. Is the firewall running a version of ScreenOS prior to ScreenOS 5.x?

  • Yes - Disable VPN Monitor or upgrade to a ScreenOS 5.x version. The VPN Monitor feature in ScreenOS 5.x uses ICMP.  It is designed to work with third-party VPN devices and NetScreen Remote. Earlier ScreenOS versions did have a proprietary implementation of VPN Monitor.  
  • No  -  Continue with Step 8.

Step 8. Collect Site-to-Site logs from the units at both ends of the VPN and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - How to Collect Logs for a Failing Site-to-Site VPN and Open a New Case.

Related Links: