Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to troubleshoot a VPN tunnel that is going up and down

0

0

Article ID: KB9488 KB Last Updated: 14 Mar 2020Version: 12.0
Summary:

This article will help you determine the reason why your VPN Tunnel between two VPN devices is going up and down. Follow the steps until the problem is resolved or a case needs to be opened with JTAC (Juniper Technical Assistance Center). 

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.

Symptoms:

I have a LAN-to-LAN VPN tunnel or a Dial-up VPN that is going up and down.  How do I troubleshoot it?

 

Solution:

To view the flowchart for the steps listed below, select this link:  KB9488 Flowchart

Use the following steps to assist with resolving a VPN Tunnel that is going Up and Down.

Step 1.  Is the alarm event log reporting that the VPN is up and down repeatedly?   (From WebUI, view 'The most recent alarms' box on the Home page, or from the CLI enter the command 'get alarm event | inc vpn'. Below is a sample an alarm event.)

2007-01-18 14:33:49 crit VPN 'jnpr' from 192.127.94.72 is up.
2007-01-18 14:33:48 crit VPN 'jnpr' from 192.127.94.72 is down.
2007-01-18 13:03:59 crit VPN 'jnpr' from 192.127.94.72 is up.
2007-01-18 13:03:38 crit VPN 'jnpr' from 192.127.94.72 is down.
  • Yes - Continue with Step 2.
  • No messages, but the VPN is going Up/Down  - Jump to Step 6.

Step 2. Does the issue affect All configured VPNs or One?

  • All VPNs - Investigate for errors associated with the Internet connection and on the firewall and switch interfaces.  To check for errors on the firewall interface:
    • From WebUI: view Reports > Counters > Hardware and select the interface associated with the VPN
    • From the CLI: enter the command 'get counter stat interface <interface>, specifying the interface associated with the VPN. ) 
    For Assistance, consult KB5347 - Troubleshooting Ethernet and Fragmentation Issues
  • One VPN  - Continue with Step 3.

Step 3.  Is the VPN Monitor 'Optimized' feature enabled for this VPN?  For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.

  • Yes - Continue with Step 4.
  • No   - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.  

Step 4.  Temporarily disable VPN Monitor to see if the VPN stays up and data passes thru the VPN.  (For assistance, from the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn <vpn> monitor command for the VPN in question, i.e. unset vpn <vpn> monitor. )

Is the VPN stable now?

  • Yes - The instability is related to the VPN Monitor configuration.  Confirm if the ISP is not blocking ESP traffic and then Continue with Step 5.
  • No   - Jump to step 8.

Step 5.  Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?

Step 6. Was the VPN stable for a period of time and now it is going up and down?

  • Yes - Investigate for network or device changes or if any new network equipment has been added to the environment. If so, confirm changes/additions are correct.  If the VPN is still unstable, continue onto Step 7.
  • No   - Continue with Step 7.

Step 7. Is the firewall running a version of ScreenOS prior to ScreenOS 5.x?

  • Yes - Disable VPN Monitor or upgrade to a ScreenOS 5.x version. The VPN Monitor feature in ScreenOS 5.x uses ICMP.  It is designed to work with third-party VPN devices and NetScreen Remote. Earlier ScreenOS versions did have a proprietary implementation of VPN Monitor.  
  • No  -  Continue with Step 8.

Step 8. Collect Site-to-Site logs from the units at both ends of the VPN and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - How to Collect Logs for a Failing Site-to-Site VPN and Open a New Case.

Modification History:

2020-03-13: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search