Troubleshoot a VPN Tunnel That is Down
Problem: IPsec VPN is not active and does not pass data.
What type of VPN tunnel are you having trouble with?
Site-to-site (LAN-to-LAN) VPN:
Proceed to Step 2.
Remote Access IPsec VPN or Client-to-LAN VPN:
For branch SRX Series, see KB17220.
For high-end SRX Series, proceed to Step 2.
Is the SA (security association) for the VPN tunnel active?
Run the
show security ipsec security-associations
command and locate the gateway address of the VPN. If the remote gateway is not displayed, then the VPN SA is not active. For more information about SA, see KB10090.user@host> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <32785 2.2.2.2 1398 ESP:3des/sha1 29e26eba 28735/unlim - 0 >32785 2.2.2.2 1398 ESP:3des/sha1 6d4e790b 28735/unlim - 0 total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <32786 3.3.3.3 500 ESP:3des/sha1 5c13215d 28782/unlim U 0 >32786 3.3.3.3 500 ESP:3des/sha1 18f67b48 28782/unlim U 0
If SA is not listed in the output, proceed to Step 3.
-
If SA is listed (Phase 2 is up) and if traffic is not passing, see Troubleshoot a VPN That Is Up But Not Passing Traffic.
-
If SA oscillates between active and inactive states, see Troubleshoot a Flapping VPN Tunnel.
Is the IKE Phase 1 up?
Run the
show security ike security-associations
command. Verify that the remote address of the VPN is listed and that the value of theState
field is UP.user@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 1 2.2.2.2 UP 744a594d957dd513 1e1307db82f58387 Main 2 3.3.3.3 UP 744a594d957dd513 1e1307db82f58387 Main
If the remote address is not listed or if the value of the
State
field isDOWN
, analyze the IKE Phase 1 messages on the responder for a solution. See KB10101.If the state is
UP
, analyze the IKE Phase 2 messages on the responder for a solution. See KB10101.
If the issue is still not resolved, analyze Phase 1 or Phase 2 logs for the VPN tunnel on the initiating VPN device. If you can't find your solution in the logs on the initiating side, proceed to Step 4.
Collect logs, flow trace options, and IKE trace options, and then open a case with your technical support representative. For information about:
Collecting logs, see Data Collection for Customer Support.
-
Flow trace options, see KB16233.
IKE trace options, see KB19943.