Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Route-based VPN is up, but not passing traffic. Is a route missing?



Article ID: KB10107 KB Last Updated: 06 May 2021Version: 7.0

A route-based, site-to-site VPN is up on an SRX device, but it is not passing traffic. A route is needed to reach a remote network through the VPN via a secure tunnel (st0) interface.

Note: To confirm whether your VPN is up, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active.



The routing table does not have a route to the remote network via the st0 interface.


The show route <remote network> output contains a route for the remote network via the correct st0 interface:

root@CorporateOffice > show route
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both *[Static/5] 00:00:53
> via st0.0   <-------------------------------------------

Note: If you are using dynamic routing protocols, such as BGP or OSPF, then investigate why those routing protocols are not learning the route.



The example below shows how to add a route to the destination network via the secure tunnel (st0) interface.


Network Topology

  • Remote Office internal network address:

  • Corporate Office internal network address:


At the Corporate Office, a route to the remote network needs to be added via the st0 interface.

  1. Locate the correct st0 interface for the VPN:


root@CorporateOffice# show security ipsec vpn ike-vpn-remote-office

vpn ike-vpn-remote-office {
    bind-interface st0.0;  <----------------
    ike {
        gateway gw-remote-office;
        ipsec-policy ipsec-phase2-policy;


In the Corporate Office SRX device, navigate to Configure > Security Services > IPsec VPN > IPsec Phase II. Then locate the associated st0 tunnel in the Bind Interface column.

  1. Add the static route with the next-hop as the st0 interface (st0.0 for this example) to route the packets destined for network via the VPN:


root@CorporateOffice# set routing-options static route next-hop st0.0


  1. In the Corporate Office SRX device, navigate to Configure > Network > Routing > Static Routing.

  2. If no route is shown with the next-hop as the st0 interface, then click Add.

  3. Enter the information below:

  • Static Route Address:

  • Below Next-Hop Addresses and next to the Add button, select interface name and choose st0.0 (you can type the interface name if it does not show st0).

  • Click OK to populate the Next-Hop Addresses field.

  1. Click Commit.


Modification History:
  • 2020-06-29: Removed reference to J-Series

  • 2021-05-06: J-Web instructions updated to indicate current UI navigation; other minor changes made to make article accurate and valid


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search