Once the configuration of the VPN is complete and committed, you should take some additional steps to ensure that the VPN is operational. You can also use these steps whenever there appears to be an issue with VPN establishment or connectivity. This section details the useful commands that can help provide information on the status of VPNs, as well as troubleshooting steps and available facilities that can provide advanced diagnostics for resolving VPN issues.
The SRX has several useful commands when it comes to determining the state of VPNs, including commands that identify specific aspects of VPNs.
show security ike
security-associations command shows any VPNs that have
passed Phase 1 and have an active IKE security association for Phase
This command is important because if IKE fails to complete Phase 1, it can’t proceed to Phase 2. (An exception is that if the IKE Phase 1 lifetime expires before the Phase 2 lifetime expires, there may not be a listing for the IKE security association while there will be one for Phase 2. However, when the Phase 2 security association expires, the Phase 1 IKE security association will need to be renegotiated first.)
The following output shows an actively established Phase 1
security association, first without the
detail argument and then with the
detail argument. There are lots of useful
reasons for using the
detail command to show the properties of ...