Hello,
It looks like the SA is UP if its seen as A.
Please capture the below when traffic is failing:
get sa
Using the HEX id from above output, run the below multiple times and see if the in/out bytes are seen incrementing when traffic is failing:
get sa id 0x00000001 (If ID is seen as 00000001)
Capture debugs:
set ff src-ip <source ip> dst-ip <destination ip> (use one source and destination ip for the traffic to be sent over tunnel)
set ff src-ip <destination ip> dst-ip <source ip>
set dbuf size 4096
debug flow basic
initiate traffic
undebug all
get db st
This will show if the packet is failing some check in the flow.
You can refer to KB link https://kb.juniper.net/InfoCenter/index?page=content&id=KB4896 for sample working debug.
Thanks,
Pranita