Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to troubleshoot a VPN tunnel that is going up and down

0

0

Article ID: KB10096 KB Last Updated: 28 Dec 2020Version: 11.0
Summary:
 

This article will help you determine the reason the VPN tunnel between two VPN devices is going up and down. Follow the steps given in the article until the problem is resolved or a case needs to be opened with your technical support representative.

This article is part of the troubleshooting guide: KB10100 - [SRX] Resolution Guide - How to troubleshoot Problem Scenarios in VPN tunnels.

 

Symptoms:
 

I have a site-to-site VPN tunnel or a remote IPsec VPN that is going up and down. How do I troubleshoot it?

 

Solution:
 

Use the following steps to assist with resolving a VPN tunnel that is going up and down.

Note: If your VPN is down, then go to KB10100 - [SRX] Resolution Guide - How to troubleshoot Problem Scenarios in VPN tunnels. If your VPN is going up and down, then proceed with the following steps.

  1. Does the issue affect one VPN or all configured VPNs?
  • One VPN - Continue with Step 2.

  • All VPNs - Investigate for errors associated with the Internet connection and on the firewall and switch interfaces. To check for errors on the firewall interface, run the command:

show interfaces extensive
  1. Are there system logs reporting that the VPN is flapping or unstable?

Run the operational command:  > show log messages

Note: Info level logging is necessary for proper message reporting. Use the following command:

# set system syslog file messages any info
# commit 

Below are examples of system logs showing a VPN tunnel that is reporting up and down status:

VPN Up/Down events

Jul 9 21:07:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
Jul 9 21:08:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
Jul 9 21:09:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
Jul 9 21:10:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4

Unstable VPN Behavior (VPN constantly rebuilding)

Jul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xfd91b643, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Jul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xbdec9669, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x69b34ae4, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x6f55d8ea, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x6fa6b0b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xa66ac906, AUX-SPI: 0, Mode: Tunnel, Type: dynamic 
  • Yes - Continue with Step 3.

  • No. VPN is going Up/Down, jump to Step 8.

  1. Was the VPN stable for a period of time and now is it going up and down?

  • Yes. Investigate for network or device changes or if any new network equipment has been added to the environment. If so, confirm whether the changes/additions are correct.

  • No - Continue with Step 4.

  1. Verify that the route towards the gateway is not via st0.

  • Yes - Remove the route towards the gateway pointing to st0.

  • No - Continue to Step 5.

  1. Is VPN Monitor enabled for this VPN? For assistance, consult KB10118 - How do you enable the Optimized feature of VPN Monitor and what does it do?

  • Yes - Continue with Step 6.

  • No - Jump to Step 8.

  1. Temporarily disable VPN Monitor. Is the VPN stable?

Run the following commands:

# deactivate security ipsec vpn <vpn_name> vpn-monitor
# commit
  • Yes - The instability is related to the VPN Monitor configuration. Continue with Step 7.

  • No - Jump to Step 8.

  1. Is the remote VPN connection configured to block ICMP Echo Requests?

  1. Is the remote VPN connection a non-Juniper device?

  • Yes - Verify the use of proxy-id/traffic selectors on the SRX and peer VPN devices.

Consult: Understanding how Proxy-IDs (traffic selectors) are generated in Route and Policy Based VPNs.

  • No - Continue with Step 9.

  1. Collect site-to-site logs from the VPN devices at both ends and open a case with your technical support representative.

Consult: KB21781 - [SRX] Data Collection Checklist. See the IPsec VPN Policy-based or Route-based sections.

 

Modification History:
  • 2020-12-28: Updated article to be current and accurate

  • 2020-07-31: Fixed broken link.

  • 2020-06-27: Article reviewed for accuracy; no changes required.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search