How do troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down.  Traffic does not pass through the tunnel.

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.

Symptoms & Errors:

• Traffic is not passing through the tunnel.
• The tunnel's SA is Active, but the status is Down.

To view the flowchart for the steps listed below, select this link:  KB9520 Flowchart

Use the following steps to troubleshoot a VPN Tunnel in which the SA is Active but the status is Down:

  Is this a Site-to-Site (or LAN-to-LAN) VPN?  A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device.  It is not a VPN between the Juniper Firewall and a client device running VPN software. 

• Yes - Continue with Step 2.
• No   - See KB9224 - How to Troubleshoot a Dial-Up VPN that will not come active .

   Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Down?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

• The SA is active and the link status is Down - Continue with Step 3
• The SA is active and the link status is Up or the symbol " - " is displayed - Consult KB9276 - How to Troubleshoot a VPN that is up, but, is not Passing Traffic

  Is the VPN Monitor 'Optimized' feature enabled for this VPN?  For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.

• Yes - Continue with Step 4.
• No   - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.  

  Temporarily disable VPN Monitor to further troubleshoot the issue. (From the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn monitor command for the VPN in question, i.e. unset vpn <vpn> monitor.).  Continue with Step 5.

With VPN Monitor disabled, is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.

• Yes - Continue with Step 6
• No  - See KB9490 - How to troubleshoot a Policy that is not passing data

  Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?

• Yes - Re-enable VPN Monitor and reconfigure VPN Monitor to use the Source interface and Destination IP options.  For assistance, see KB9503 - Configuring the Source Interface and Destination IP options of VPN Monitor.  
• No   - Continue with Step 7.

  Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?