View the Tunnel Status
Updated on
Apr 4, 2024
Focus
Download PDF
Updated on
Apr 4, 2024
Focus
- Home
- Network Security
- Monitor Your IPSec VPN Tunnel
- View the Tunnel Status
Download PDF
Network Security
Table of Contents
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall can take action accordingly, that is, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic. You can specify the number of heartbeats to wait before taking the specified action. You can also specify the interval between heartbeats to trigger the specified action. For tunnel monitoring, a monitor status of down is an indicator that the destination IP address being monitored is not reachable, and off indicates that the tunnel monitor is not configured.
You can view the following status of an IPSec VPN tunnel:
IPSec tunnel status—Provides the connection status for an IPSec VPN session.
IKE gateway status—Provides the IKE phase 1 SA status
VPN flow or tunnel interface status—Provides the IPSec tunnel interface status
You can also execute the show commands in the command-line interface to view status information about active IPSec tunnels. The show commands display status output for all the IPSec tunnels, and it also displays tunnel information individually when you specify the tunnel ID.
PAN-OS
Strata Cloud Manager
View the IPSec VPN Tunnel status of the firewalls in PAN-OS.
Select
.Network
IPSec Tunnels
View the
Tunnel Status
.Green indicates a valid IPSec SA tunnel.
Red indicates that IPSec SA isn’t available or has expired.
View the
IKE Gateway Status
.Green indicates a valid IKE phase-1 SA.
Red indicates that IKE phase-1 SA isn’t available or has expired.
View the
Tunnel Interface Status
.Green indicates that the tunnel interface is up.
Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.
To troubleshoot a VPN tunnel that isn’t yet up, see Interpret VPN Error Messages.
View the IPSec VPN Tunnel status of the firewalls in the Strata Cloud Manager.
Log in to Strata Cloud Manager.
Select
and selectManage
Configuration
NGFW and Prisma Access
Device Settings
IPSec Tunnels
Monitor
.Select the
Configuration Scope
to view the IPSec VPN tunnel status. You can select a folder or firewall from yourFolders
to monitor the IPSec VPN tunnel that you created on the firewalls:To view the status of the IPSec tunnels on all the firewalls, select the
All Firewalls
folder.To view the status of the IPSec tunnels for the group of firewalls associated with a folder, select the specific folder.
To view the status of the IPSec tunnels on a specific firewall, select the firewall.
If you have created the VPN cluster using Auto VPN, then monitor those tunnels in the
Auto VPN
(
) page.Manage
Configuration
NGFW and Prisma Access
Global Settings
Auto VPN
You can monitor only on-premises firewalls and not the components managed by
Prisma Access
.Monitoring is disabled at the Global and snippet level. Therefore, you can create an IPSec tunnel in the global or snippet configuration scope, but you can monitor the IPSec tunnel only in the folder or firewall level.
View the
VPN Cluster Tunnel Status
that provides the graphical representation of the number of tunnels that are up, the number of tunnels that are down, and the number of tunnels that are partially up.View the
IPSec SA Status
inIPSec Tunnels
.Green (
UP
) indicates a valid IPSec SA tunnel. SelectUP
to view detailed information about the IPSec tunnel.Red (
DOWN
) indicates that IPSec SA isn’t available or has expired. SelectDOWN
to view the detailed information to interpret the reason for failure.
View the
IKE SA Status
inIPSec Tunnels
.Green (
UP
) indicates a valid IKE phase-1 SA. SelectUP
to view detailed information about the IKE gateway.Red (
DOWN
) indicates that IKE phase-1 SA isn’t available or has expired. SelectDOWN
to view the detailed information to interpret the reason for failure.
View the
VPN Flow Status
for VPN traffic flow information inIPSec Tunnels
.Green (
UP
) indicates that the IPSec tunnel is up. SelectUP
to view detailed information about the VPN traffic flow.Red (
DOWN
) indicates that the IPSec tunnel is down. SelectDOWN
to view the detailed information to interpret the reason for failure.
Select
Add New Filter
, and select the field to view the results based on the selected field. For example,
Add New Filter
by selecting theDevice Name
from the list, to view the IPSec tunnel status for the selected device.Select
Reset Filters
to remove one or more filters.
Select
Update Status
to update all the IPSec tunnel monitoring data present at that level (firewall, folder, or all firewalls).
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}