Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
IPsec VPN User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
ON THIS PAGE
keyboard_arrow_right

Troubleshoot a Flapping VPN Tunnel

date_range 30-Nov-23

Problem

Description

Site-to-site VPN tunnel or remote IPsec VPN tunnel flapping (that is, going up and down in quick succession).

Diagnosis

  1. Does the issue affect only one VPN?

    • Yes: Check the system logs and proceed to Step 2. Use the show log messages command to view the logs. You must enable information-level logging for messages to be reported correctly.

      user@host # set system syslog file messages any info

      Here are examples of system logs reporting a flapping VPN tunnel:

      VPN up/down events:

      content_copy zoom_out_map
      Jul 9 21:07:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
      Jul 9 21:08:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
      Jul 9 21:09:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
      Jul 9 21:10:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4

      Unstable VPN behavior (VPN constantly rebuilding):

      content_copy zoom_out_map
      Jul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xfd91b643, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
      Jul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xbdec9669, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
      Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x69b34ae4, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
      Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x6f55d8ea, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
      Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x6fa6b0b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
      Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xa66ac906, AUX-SPI: 0, Mode: Tunnel, Type: dynamic 
    • No: If the issue is on all configured VPNs, investigate the errors associated with the Internet connection, and on the SRX Series Firewall and switch interfaces. To check for errors on the SRX Series Firewall interface, run the show interfaces extensive command.

  2. Verify that VPN Monitor is enabled for this VPN by using the show configuration security ipsec vpn vpn-name command.

    Is VPN Monitor enabled?

    • Yes: Proceed to Step 3.

    • No: Proceed to Step 5.

  3. Disable VPN Monitor and check the VPN.

    content_copy zoom_out_map
    user@host# deactivate security ipsec vpn vpn-name vpn-monitor
    user@host# commit

    Is the VPN stable?

    • Yes: The instability is related to the VPN Monitor configuration. Proceed to Step 4.

    • No: Proceed to Step 5.

  4. Is the remote VPN connection configured to block ICMP echo requests?

    • Yes: Reenable and reconfigure VPN Monitor to use the source interface and destination IP options. See KB10119.

    • No: Proceed to Step 5.

  5. Is the remote device that is connected to the SRX Series Firewall a non-Juniper device?

    • Yes: Verify the proxy-id value on the SRX Series Firewall and the peer VPN device.

    • No: Proceed to Step 6.

  6. Was the VPN stable for a period of time and then started going up and down?

    • Yes: Investigate for network or device changes or whether any new network equipment has been added to the environment.

    • No: Collect site-to-site logs from the VPN devices at both ends and open a case with your technical support representative. See Data Collection for Customer Support.

external-footer-nav