Juniper SRX Dynamic-VPN (Remote-access) – Part 2

So here is the second part of dynamic VPN, but this is post will mainly for verification/troubleshooting. If you are looking for configuring the dynamic-vpn (remote access VPN), please check the part 1 of this post.


To verify and the remote client successfully VPN’d in to the SRX, use the command show security ike security-associations brief. You may see more than one entry here if you have some other ike traffic such as site-to-site VPN and/or another session from another dynamic-vpn.

Example 1

karlo> show security ike security-associations brief    
Index    State   Initiator cookie   Responder cookie   Mode           Remote Address  
4542718   DOWN   6a685801e0f0a351   0000000000000000   Aggressive        
4542712   UP     39de8a6735c6e475   e1c4c10b2234ffc0   Aggressive

The 3rd line with an index# of 4542718 can be ignored. This is for my site-to-site VPN, and not relevant to this post. Anyways, that one we are interested in is the last line with in index# 4542712. As you can see in Example 1, the state is “UP” and it shows the IP address of the remote client.

Another useful command can be use is show security ike active-peer

Example 2

karlo> show security ike active-peer  
Remote Address                    Port    Peer IKE-ID                         XAUTH username                    Assigned IP                           500     Not-Available                                  57717            karlo                                         


If everything works in phase 1, and still no connection, verify the phase 2. You can use show security ipsec inactive-tunnels. As you can see in Example 3, It displays the total inactive tunnels and errors.

Example 3

karlo> show security ipsec inactive-tunnels          
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID      Port  Nego#  Fail#  Flag     Gateway         Tunnel Down Reason
131073  500   0      0      600a29         SA not initiated


To see the total active tunnels, use the command show security ipsec security-associations

Example 4

karlo> show security ipsec security-associations  
Total active tunnels: 1
ID   Algorithm       SPI      Life:sec/kb  Mon lsys Port Gateway  
<268173325 ESP:aes-cbc-128/sha1 5d542e0 3066/ 499908 - root 56070    
>268173325 ESP:aes-cbc-128/sha1 204d6fa9 3066/ 499908 - root 56070    


The last one would be show security ipsec statistics, which gives you the number of ESP errors

Example 5


karlo> show security ipsec statistics          
ESP Statistics:
  Encrypted bytes:           261680
  Decrypted bytes:           171253
  Encrypted packets:           1370
  Decrypted packets:           2364
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0



Now, if none of the verification commands works, then this is the time to troubleshoot the issue. Maybe the remote user is able to connect to the VPN, but not passing traffic or cannot connect to the VPN at all. There are a lot of VPN issues, and I am no expert. I am just going to list that one that I have encountered.

Failed to receive HTTP response

If the users cannot VPN at all and getting an error stating “Failed to receive HTTP response” from your desktop client. Check your SRX version because according to Juniper:

This issue affects only branch SRX platforms and always occurs when Dynamic VPN is configured. This is a regression issue, it is introduced from 12.1X44-D55, 12.1X46-D40, 12.1X47-D30, 12.3X48-D20, and 15.1X49-D20.

These are the known working version 12.1X47-D35, 12.3X48-D25, 15.1X49-D30 according to Juniper’s problem report. Also, I have an older SRX100H and its code version is 12.1X46-D35, and dynamic-vpn is working with this code.

VPN connection is up. but no traffic is going through

Ensure the remote client receives an IP address from the SRX. If the remote client didn’t receive an IP address from the SRX, then check your configuration related to DHCP. YOu can use show configuration system services dhcp-local-server. Ensure that you have the interface for the dynamic vpn in a group.

Also, make sure that the dhcp is in the config under the security-zone interface level.

Example 6

karlo> show configuration security zones security-zone DYN-VPN-ZONE interfaces vlan.9
host-inbound-traffic {
   system-services {

Lastly, the security policy should be in place. The from-zone should be the untrust and the to-zone should be the destination zone. And the permit statement should be sent to the ipsec tunnel.

Example 7

karlo> show configuration security policies from-zone untrust to-zone trust
policy DYN-untrust_TO_trust {
   match {
       source-address any;
       destination-address any;
       application any;
   then {
       permit {
           tunnel {
               ipsec-vpn IPSEC-DYN-VPN;

You can also check if there is a traffic hitting the SRX. Use the command show security flow session

Example 8

karlo> show security flow session
Session ID: 12683, Policy name: DYN-untrust_TO_trust/10, Timeout: 1800, Valid
In: -->;tcp, If: fe-0/0/0.0, Pkts: 502, Bytes: 38710
Out: -->;tcp, If: .local..0, Pkts: 288, Bytes: 36773

In addition, a traceoption under the security flow can be used. This is going to be useful if the remote user received an IP address and have them generate some traffic to a specific destination.

karlo# show | compare
[edit security]
+   flow {
+      traceoptions {
+           file TSHOOT;
+           flag basic-datapath;
+           packet-filter REMOTE_TO_INTERNAL {
+               source-prefix;
+               destination-prefix;
+           }
+           packet-filter INTERNAL_TO_REMOTE {
+               source-prefix;
+               destination-prefix;
+           }
+       }
+   }


After you commit the traceoption, have the remote user generate some traffic. Then you can view the results of the traceoption via show log <filename>.

show log TSHOOT


Hope you will find this post helpful


Donations are always appreciated:

ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a
NAV: NM7c5u8Vius5UJWtCdTdQxgKT9F3PpTXbK
Any ERC-20 (tokens/coins): 0x9f337F9e0796eD3af5ccF0332674fD1eaDfA03BC



About networkshinobi

My name is Karlo, I work as a Network Engineer. A little about myself. I started as a PC gamer back when I was in high school. PC gaming became my addiction and pushed me to learn more about computers. Slowly got my some certifications and landed an IT Tier 1 Helpdesk job. This job opened the door for me to work to push further on my certifications and going deeper into the IT world. My goal was to get my Cisco CCIE Routing and Switching, but my journey for CCIE has changed due to I always ended up working on non-Cisco network appliances. Therefore, I have to pivot and decided to jump to the dark side and go with Juniper. Hopefully, I would get my JNCIE in the near future. All the entries/post I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in Misc.. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s