#K&B ASSOCIATION HOW TO#
Analyze the phase 2 messages on the responder for a solution.Ĭonsult: KB10099 - How to troubleshoot IKE Phase 2 VPN connection issues. If you are unable to find your solution in the logs on the responder side, jump to Step 6. Analyze the IKE phase 1 messages on the responderfor a solution.Ĭonsult: KB10101 - How to troubleshoot IKE Phase 1 VPN connection issues.
No (Remote Address is not listed or State is DOWN) - Continue to Step 4. Locate the Remote Address of the VPN in question, and verify that the State is UP.įor more information, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is show security ike security-associations Run the command show security ike security-associations. Sometimes, SA is bouncing between active and inactive - Consult: KB10096 - How to troubleshoot a VPN tunnel that is going up and down. Yes (SA is listed, so Phase 2 is up) - If traffic is not passing, consult: KB10093 - How to troubleshoot a VPN that is up, but is not passing traffic. No (SA is not listed) - Continue to Step 3.If the remote gateway is not displayed, then the VPN SA is not active.įor more information, consult: KB10090 - How do I tell if a VPN Tunnel SA (Security Association) is show security ipsec security-associations Locate the Gateway address of the VPN in question. Run the command show security ipsec security-associations. Is the VPN tunnel's Security Association (SA) active? In other words, is the VPN's Phase 2 up? Remote Access IPsec VPN or Client-to-LAN VPNįor SRX Branch Series, see KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.įor SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, continue with Step 2.
Site-to-site (LAN-to-LAN) VPN - Continue with Step 2. What type of VPN tunnel are you having trouble with?
Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.įor the flowchart version of these steps, click the flowchart icon: