Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP]. But otherwise, this is a very useful set of instructions.
It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID. If the index number keeps changing, it means your tunnel is going down and coming back up all the time. If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.
Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself. I’ve not used packet-filters in flow debug before, so will definitely be trying that out.