Troubleshoot a VPN Tunnel That is Down

Problem: IPsec VPN is not active and does not pass data.

1. What type of VPN tunnel are you having trouble with?

   • Site-to-site (LAN-to-LAN) VPN:

     Proceed to Step 2.

   • Remote Access IPsec VPN or Client-to-LAN VPN:

     For branch SRX Series, see KB17220.

     For high-end SRX Series, proceed to Step 2.

2. Is the SA (security association) for the VPN tunnel active?

   Run the show security ipsec security-associations command and locate the gateway address of the VPN. If the remote gateway is not displayed, then the VPN SA is not active. For more information about SA, see KB10090.

   • If SA is not listed in the output, proceed to Step 3.

   • If SA is listed (Phase 2 is up) and if traffic is not passing, see Troubleshoot a VPN That Is Up But Not Passing Traffic.

   • If SA oscillates between active and inactive states, see Troubleshoot a Flapping VPN Tunnel.

3. Is the IKE Phase 1 up?

   Run the show security ike security-associations command. Verify that the remote address of the VPN is listed and that the value of the State field is UP.

   • If the remote address is not listed or if the value of the State field is DOWN, analyze the IKE Phase 1 messages on the responder for a solution. See KB10101.

   • If the state is UP, analyze the IKE Phase 2 messages on the responder for a solution. See KB10101.

   If the issue is still not resolved, analyze Phase 1 or Phase 2 logs for the VPN tunnel on the initiating VPN device. If you can't find your solution in the logs on the initiating side, proceed to Step 4.

4. Collect logs, flow trace options, and IKE trace options, and then open a case with your technical support representative. For information about:

   • Collecting logs, see Data Collection for Customer Support.

   • Flow trace options, see KB16233.

   • IKE trace options, see KB19943.