Troubleshooting Gateways (SRX)

If the SRX is showing disconnected in the UI but is online locally and reachable then we can try the following steps to troubleshoot further. We will need console access to the SRX or SSH access to the SRX to check the following:

1. Make sure the SRX is on the supported version

Minimum JUNOS OS firmware versions supported for WAN Assurance:

  • SRX – 300, 320, 340, 345, 380, 550M, 1500, vSRX – 19.4 & above


2. Ensure the SRX has a valid IP address

Run “ show interfaces terse”. You should see either an interface or irb having an IP address. You might see multiple irb interfaces depending on the SRX model (or in the case of HA). At least one irb interface needs to have a valid IP address.

The SRX can also connect using management IP which will be seen on fxp0 interface. Ensure either interface or fxp0 interface has a valid IP and is administratively UP. (Link status also needs to be UP)


3. Ensure that the device can reach the gateway


4. Ensure the SRX can reach the internet

root@Mist_SRX> ping inet 
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=58 time=9.789 ms
64 bytes from icmp_seq=1 ttl=58 time=5.206 ms
64 bytes from icmp_seq=2 ttl=58 time=4.679 ms
64 bytes from icmp_seq=3 ttl=58 time=4.362 ms
64 bytes from icmp_seq=4 ttl=58 time=4.497 ms
--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.362/5.707/9.789/2.061 ms


5. Check if the SRX can resolve

root@Mist_SRX> ping 
PING ( 56 data bytes

If it’s unable to resolve then check for DNS servers configured on the SRX:

root@Mist_SRX> show configuration | display set | grep name-server 
set system name-server
set system name-server

configure name server (set system name-server


6. Ensure firewall ports are open (tcp port 2200 for

Please check your cloud environment to see which ports and hosts to enable

root@Mist_SRX> show system connections | grep 2200 

tcp4      0      0                                               ESTABLISHED


7. Check if the SRX system time is correct

root@Mist_SRX> show system uptime 
Current time: 2021-08-23 19:39:17 UTC
Time Source: LOCAL CLOCK 
System booted: 2021-07-14 22:40:20 UTC (5w4d 20:58 ago)
Protocols started: 2021-07-14 22:45:39 UTC (5w4d 20:53 ago)
Last configured: 2021-08-23 19:34:05 UTC (00:05:12 ago) by root
7:39PM up 39 days, 20:59, 2 users, load averages: 0.66, 1.07, 0.92


8. Check if ‘device-id’ is of the format ‘<org_id>.<mac_addr> in the CLI command below

root@Mist_SRX# show system services outbound-ssh 
traceoptions {
   file outbound-ssh.log size 64k files 5;
   flag all;
client mist {
   device-id bb2fb165-0931-49c7-a1b8-9b5814326b7d.<mac>;
   secret "$9$dTwoJjHqPTzkq0BREeKJGUHkP5QFAtO6/revMXxqmP5n/0ORhylu08X-dsYn/9tu1lKM7db0BwYgaUD.P5T69uO1rKMIRNdVwg4n/9tu1cyleM8n/M8xNY2GDiq.5Qz69p0/9revMXxk.m5n/0BIhyl1IxNbs4o69CtBIhclWX7yrYgoaiH5QFntuEhrMWxhcwYoaUD9AtuIEhSrW87ApWLN-ws4aZDjqP5QF/C.mhSleW8k.mfFn9ApOIE6/0IhSeKX7-dYgjHqmPQxNs4ZGq.hSyKLxws4oZUevUjk.5TSrlvMXYgoGUHg4z369OBVwsYJGHqmf5FUDmTz39CevM8NdbwgJZjyl24aJDjk.P5T369A"; ## SECRET-DATA
   keep-alive {
      retry 12;
      timeout 5;
   services netconf; {
      port 2200;
      retry 1000;
      timeout 60;


9. Deactivate the outbound SSH and reactivate it

Deactivate system service outbound-ssh using the following command:

deactivate system services outbound-ssh client mist


Activate outbound-ssh using the following command:

activate system services outbound-ssh client mist



10. If you are adding the SRX for the first time:

Try releasing the SRX from the UI (delete the SW entry) and then try to readopt the SRX:

  1. Delete the present Mist configuration from the SRX.
  2. Again adopt via CLI command.
  3. Verify system service outbound-ssh using the following commands:
show system services outbound-ssh


show system connections | grep 2200