This article goes over troubleshooting for a route for the IPSec tunnel, showing inactive even though the IPSec tunnel is up.

1. Check if the Phase 1 and Phase 2 selectors of the IPSec tunnel are up by going to Dashboard -> Network and then selecting 'IPSec'.
   Check the tunnel and see if the Phase 1 and Phase 2 are showing up as shown below:

2. Check the route for the subnet that is on the other side of the IPSec tunnel. Use this command to check the route:
   
   get router info routing-table details <Remote IP>
   
   

In this example, the remote IP is 192.168.1.1, so the command for that would be:

If it shows as ‘inactive’, then check the link-monitor using the following command:

config system link-monitor
show full-configuration

If a link monitor related to the tunnel is visible, it can be an issue with the route showing inactive.

Here is an example:

To fix the issue, disable the link monitor using the following command:

config system link-monitor
    edit <number related to the tunnel link monitor>
        set status disable
end

3. Check the routing table again, and the route will show as active:

Other causes: This will be the same behavior if the interface is a part of the SD-WAN zone and if the interface is mentioned in the performance SLA. If the performance SLA is down, the route for that interface will become inactive as well.

4. Dial-up tunnel shows inactive route, if using a user's IP range the same as the MGMT IP subnet range: 
   

For Example: 

   config system interface

    edit "mgmt" 

        set vdom "root" 

        set ip 172.16.0.1 255.255.255.0 

        set type physical 

        set dedicated-to management 

        set role lan 

    next 

end

config vpn ipsec phase1-interface 

    edit Dialup-Tunnel 

        set type iprange 

        set start-ip 172.16.0.1 

        set end-ip 172.16.0.20 

    next 

end

Below are routes when having the user's IP part of the MGMT IP subnet range: 

get router info routing-table details 172.16.0.1 

Routing table for VRF=0 
Routing entry for 172.16.0.1/32 
   Known via "static", distance 15, metric 0 

  * via Dialup-Tunnel tunnel 10.10.10.2 inactive 

After changing the iprange from 172.16.0.x to 192.168.10.x it shows the active best route now. 

config vpn ipsec phase1-interface 

    edit Dialup-Tunnel 

        set type iprange 

        set start-ip 192.168.10.1 

        set end-ip 192.168.10.20 

    next 

get router info routing-table details 192.168.10.1 

Routing table for VRF=0 
Routing entry for 192.168.10.1/32 
   Known via "static", distance 15, metric 0, best 
   * via Dialup-Tunnel tunnel 10.10.10.2 vrf 0, tun_id 

5. If the aggregate member option is enabled in a site-to-site IPsec tunnel but no aggregate members are configured,
   the static route will remain inactive even though the IPsec tunnel is up. Refer to this article for troubleshooting
   steps: Technical Tip: How to troubleshoot if an IPsec tunnel route displays a 'Null0' interface in the rout...

Related articles:

Technical Tip: How to identify Inactive Routes in the Routing Table 

Technical Tip: IPsec VPN: Site-to-Site tunnel monitor