- play_arrow IPsec Fundamentals
- play_arrow IPsec VPN in Junos OS
- play_arrow VPN Configuration Overview
- play_arrow Policy Based VPN
- play_arrow Route Based VPN
- play_arrow Class-Of-Service Based VPN
- play_arrow NAT-T
- play_arrow Group VPN
- play_arrow ADVPN
- play_arrow AutoVPN
- play_arrow Remote Access VPN
- play_arrow Monitoring VPN
- play_arrow Performance Tuning
- play_arrow Configuration Statements and Operational Commands
Troubleshoot a VPN Tunnel That is Down
Problem: IPsec VPN is not active and does not pass data.
What type of VPN tunnel are you having trouble with?
Site-to-site (LAN-to-LAN) VPN:
Proceed to Step 2.
Remote Access IPsec VPN or Client-to-LAN VPN:
For branch SRX Series, see KB17220.
For high-end SRX Series, proceed to Step 2.
Is the SA (security association) for the VPN tunnel active?
Run the
show security ipsec security-associations
command and locate the gateway address of the VPN. If the remote gateway is not displayed, then the VPN SA is not active. For more information about SA, see KB10090.content_copy zoom_out_mapuser@host> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <32785 2.2.2.2 1398 ESP:3des/sha1 29e26eba 28735/unlim - 0 >32785 2.2.2.2 1398 ESP:3des/sha1 6d4e790b 28735/unlim - 0 total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <32786 3.3.3.3 500 ESP:3des/sha1 5c13215d 28782/unlim U 0 >32786 3.3.3.3 500 ESP:3des/sha1 18f67b48 28782/unlim U 0
If SA is not listed in the output, proceed to Step 3.
If SA is listed (Phase 2 is up) and if traffic is not passing, see Troubleshoot a VPN That Is Up But Not Passing Traffic.
If SA oscillates between active and inactive states, see Troubleshoot a Flapping VPN Tunnel.
Is the IKE Phase 1 up?
Run the
show security ike security-associations
command. Verify that the remote address of the VPN is listed and that the value of theState
field is UP.content_copy zoom_out_mapuser@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 1 2.2.2.2 UP 744a594d957dd513 1e1307db82f58387 Main 2 3.3.3.3 UP 744a594d957dd513 1e1307db82f58387 Main
If the remote address is not listed or if the value of the
State
field isDOWN
, analyze the IKE Phase 1 messages on the responder for a solution. See KB10101.If the state is
UP
, analyze the IKE Phase 2 messages on the responder for a solution. See KB10101.
If the issue is still not resolved, analyze Phase 1 or Phase 2 logs for the VPN tunnel on the initiating VPN device. If you can't find your solution in the logs on the initiating side, proceed to Step 4.
Collect logs, flow trace options, and IKE trace options, and then open a case with your technical support representative. For information about:
Collecting logs, see Data Collection for Customer Support.
Flow trace options, see KB16233.
IKE trace options, see KB19943.