- play_arrow IPsec Fundamentals
- play_arrow IPsec VPN in Junos OS
- play_arrow VPN Configuration Overview
- play_arrow Policy Based VPN
- play_arrow Route Based VPN
- play_arrow Class-Of-Service Based VPN
- play_arrow NAT-T
- play_arrow Group VPN
- play_arrow ADVPN
- play_arrow AutoVPN
- play_arrow Remote Access VPN
- play_arrow Monitoring VPN
- play_arrow Performance Tuning
- play_arrow Configuration Statements and Operational Commands
Troubleshoot a Flapping VPN Tunnel
Problem
Description
Site-to-site VPN tunnel or remote IPsec VPN tunnel flapping (that is, going up and down in quick succession).
Diagnosis
Does the issue affect only one VPN?
Yes: Check the system logs and proceed to Step 2. Use the
show log messages
command to view the logs. You must enable information-level logging for messages to be reported correctly.user@host # set system syslog file messages any info
Here are examples of system logs reporting a flapping VPN tunnel:
VPN up/down events:
content_copy zoom_out_mapJul 9 21:07:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4 Jul 9 21:08:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4 Jul 9 21:09:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.2 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4 Jul 9 21:10:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.2 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.2, XAUTH username: Not-Applicable, VR id: 4
Unstable VPN behavior (VPN constantly rebuilding):
content_copy zoom_out_mapJul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xfd91b643, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Jul 9 20:43:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xbdec9669, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x69b34ae4, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Jul 9 20:44:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x6f55d8ea, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x6fa6b0b3, AUX-SPI: 0, Mode: Tunnel, Type: dynamic Jul 9 20:45:10 kmd[1496]: KMD_PM_SA_ESTABLISHED: Local gateway: 4.4.4.4, Remote gateway: 3.3.3.2, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xa66ac906, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
No: If the issue is on all configured VPNs, investigate the errors associated with the Internet connection, and on the SRX Series Firewall and switch interfaces. To check for errors on the SRX Series Firewall interface, run the
show interfaces extensive
command.
Verify that VPN Monitor is enabled for this VPN by using the
show configuration security ipsec vpn vpn-name
command.Is VPN Monitor enabled?
Yes: Proceed to Step 3.
No: Proceed to Step 5.
Disable VPN Monitor and check the VPN.
content_copy zoom_out_mapuser@host# deactivate security ipsec vpn vpn-name vpn-monitor
user@host# commit
Is the VPN stable?
Yes: The instability is related to the VPN Monitor configuration. Proceed to Step 4.
No: Proceed to Step 5.
Is the remote VPN connection configured to block ICMP echo requests?
Yes: Reenable and reconfigure VPN Monitor to use the source interface and destination IP options. See KB10119.
No: Proceed to Step 5.
Is the remote device that is connected to the SRX Series Firewall a non-Juniper device?
Yes: Verify the proxy-id value on the SRX Series Firewall and the peer VPN device.
No: Proceed to Step 6.
Was the VPN stable for a period of time and then started going up and down?
Yes: Investigate for network or device changes or whether any new network equipment has been added to the environment.
No: Collect site-to-site logs from the VPN devices at both ends and open a case with your technical support representative. See Data Collection for Customer Support.