Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down?



Article ID: KB9520 KB Last Updated: 31 Mar 2020Version: 7.0

How do troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down.  Traffic does not pass through the tunnel.

This article is part of the troubleshooting guide: KB9221 - [ScreenOS] How to Troubleshoot a VPN Tunnel that won't come up.


Symptoms & Errors:

  • Traffic is not passing through the tunnel.
  • The tunnel's SA is Active, but the status is Down.

To view the flowchart for the steps listed below, select this link:  KB9520 Flowchart

Use the following steps to troubleshoot a VPN Tunnel in which the SA is Active but the status is Down:

Step 1.  Is this a Site-to-Site (or LAN-to-LAN) VPN?  A Site-to-Site VPN is one that is between two Juniper Firewalls or a Juniper Firewall and an OEM VPN device.  It is not a VPN between the Juniper Firewall and a client device running VPN software.

Step 2.   Is the VPN Tunnel's SA (Security Association) Active and the Link Status is Down?  For assistance, see KB6134 - How do I tell if a VPN Tunnel SA (Security Association) is active?

Step 3.  Is the VPN Monitor 'Optimized' feature enabled for this VPN?  For assistance, see KB9522 - How do you enable the Optimized feature of VPN Monitor and what does it do?.

  • Yes - Continue with Step 4.
  • No   - Enable the VPN Monitor 'Optimize' setting and test the VPN connection again.  

Step 4  Temporarily disable VPN Monitor to further troubleshoot the issue. (From the WebUI, uncheck the VPN Monitor box, or from the CLI, unset the vpn monitor command for the VPN in question, i.e. unset vpn <vpn> monitor.).  Continue with Step 5.

Step 5 With VPN Monitor disabled, is the policy passing data? For assistance with enabling logging, consult: KB4214 - Configuring the Netscreen Traffic Log.

Step 6.  Is the remote VPN connection a non-Juniper Firewall device or is the remote VPN device configured to block ICMP Echo Requests?

Step 7  Collect logs and open a case with JTAC - Juniper Technical Assistance Center.  For assistance, see KB9229 - What Information should I collect for a Site-to-Site VPN that is Up, but, will not pass traffic?

Modification History:
2020-03-31: Removed link to old KB article that no longer apply.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search