Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to troubleshoot a Policy that is not passing data?



Article ID: KB9490 KB Last Updated: 19 Dec 2017Version: 6.0

The VPN is up, but the policy isn't passing data. What could be wrong?


The policy isn't passing data.


To view the flowchart for the steps listed below, select this link:  KB9490 Flowchart

Use the following steps to troubleshoot a policy for a Site-to-Site VPN that is not passing data:

Step one Does the Policy Log show bytes sent? For information on how to check the policy log, consult: KB4260 - Viewing Policy Reports .  If Logging is not enabled, consult: KB4214 - Configuring the NetScreen Traffic Log

  • Yes - Continue with Step 2
  • No   - Skip to Step 3

Step two Are the Source and/or Destination Address translations correct? For assistance, see KB9542 - How to Determine if the Source and Destination Address Translation is Correct.

  • Yes - Continue with Step 3
  • No   - Correct the addresse(s) and try to send data through the tunnel again

Step three Is the Policy order correct? For assistance, consult: KB6629 - How to change the order of the Policies and why it is important?

  • Yes - Continue with Step 4
  • No   - Correct the policy issue and try the VPN tunnel again

Step four Are the addresses in the policy correct?  Verify that the addresses are correct and that they have the correct subnet mask.  If you are using Address Book entries, see KB4130 - How to configure a Policy for a VPN .

  • Yes - Continue with Step 5
  • No   - Correct the addresse(s) and try to send data through the tunnel again

Step five Is the policy Permitting the service(s)? For assistance in configuring either Pre-defined or Custom services in a policy , consult: KB4271 - Creating a Policy Using a Custom Service

  • Yes - Continue with Step 6
  • No   - Correct the policy issue and try the VPN tunnel again

Step six Is the Address Book entry used in the policy correct? For assistance, consult: KB9501 - How to Confirm the Address Book Entry is Correct

  • Yes - Continue with Step 7
  • No   - Correct the address issue and try the VPN tunnel again

Step seven Is the traffic reaching the Firewall device? For assistance, consult: KB6723 - How to check if an IP is reachable from the NetScreen? or use the trace-route CLI command (consult CLI Reference guide for more information).

  • Yes - Continue with Step 8
  • No   - Correct the network issue and try the VPN tunnel again

Step eight Collect logs and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search