Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Troubleshoot a VPN That Is Up But Not Passing Traffic

Problem

Description

The VPN is up, but there is no passing traffic in one or both directions.

This topic helps troubleshoot the issues that could prevent traffic passing through an active VPN tunnel.

Environment

VPN

Solution

  1. Check whether the VPN security association (SA) is active: show security ipsec security-associations

    If the VPN gateway is listed, the tunnel is established and is up. The output displays two lines for each VPN tunnel displaying the SPI information for each direction of traffic.

    The MON field is used by VPN monitoring to show the status of the tunnel and has one of the following values:

    • - (hyphen): The VPN tunnel is active, and the VPN monitor optional feature is not configured.

    • U (up): The VPN tunnel is active, and the link (detected through the VPN monitor) is up.

    • D (down): The VPN tunnel is active, and the link (detected through the VPN monitor) is down.

  2. Check whether the VPN is using the loopback interface lo0 as the external interface: show configuration security ike

    • Yes: VPN is using the the loopback interface lo0 as the external interface. Proceed to Step 3.

    • No: VPN is not using the the loopback interface lo0 as the external interface. Proceed to Step 4.

  3. Check whether the egress interface (physical interface) and lo0 used as the VPN external interface are in the same security zone.

  4. If your VPN is a route-based VPN, proceed to Step 5. Proceed to Step 8 if it is a policy-based VPN. See What is the difference between a policy-based VPN and a route-based VPN?

  5. Check whether a route is assigned to the remote network through the st0 interface: show route remote network

  6. Based on the route assigned to the remote network in Step 5, check whether the VPN is pointing to the correct st0 interface: show security ike and show security ipsec

    1. First, check the IKE gateway using the show security ike command.

    2. Check the IPsec VPN for that IKE gateway using the show security ipsec command and in the output verify if bind-interface is pointing to st0 interface.

      In this example, the VPN ike-vpn-siteB is pointing to the st0.0 interface.

  7. Check whether there is a security policy that allows traffic from the internal zone to the st0 security zone: show security policies

  8. Check whether there is a VPN tunnel security policy to allow traffic: show security policies

  9. Check whether the traffic is matching in the policies identified in step 7 or step 8: show security flow session source prefix source address destination prefix destination address

    • Yes: Proceed to Step 10.

    • No: Verify the order of the security policies: show security match policies. See Understanding Security Policy Ordering.

      If the order is correct, see How to troubleshoot a security policy that is not passing data.

      Note:

      If only the pkts counter in the out direction of the session is incrementing, then validate with the VPN peer that the traffic is being received.

      This is to check the packet counters on the VPN peer with which this tunnel is formed to see whether the other end is receiving the packets.

  10. Collect logs and flow trace options and open a case with the Juniper Networks support team: