How do troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down. Traffic does not pass through the tunnel.
This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.
To view the flowchart for the steps listed below, select this link: KB9520 Flowchart
Use the following steps to troubleshoot a VPN Tunnel in which the SA is Active but the status is Down:
Is this a Site-to-Site (or LAN-to-LAN) VPN? A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device. It is not a VPN between the Juniper Firewall and a client device running VPN software.
Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Down? For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?
Is the VPN Monitor 'Optimized' feature enabled for this VPN? For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.
- Yes - Continue with Step 4.
- No - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.
Temporarily disable VPN Monitor to further troubleshoot the issue. (From the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn monitor command for the VPN in question, i.e. unset vpn <vpn> monitor
.). Continue with Step 5.
With VPN Monitor disabled, is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.
Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?
Collect logs and open a case with JTAC - Juniper Technical Assistance Center. For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?