Professional Documents
Culture Documents
Knowledge Base - Palo Alto Network
Knowledge Base - Palo Alto Network
Knowledge Base - Palo Alto Network
SearchLoading
<https://sso.paloaltonetworks.com/app/panw-
ciam_sfdcknowledgecommunity_1/exk3jjgpeeZioKZWj0j6/sso/saml?
RelayState=https%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail%3Fid
%3DkA10g000000ClNZCA0>
Clear
SearchLoading
Home <https://support.paloaltonetworks.com/SupportAccount/MyAccount/0>
*
Resources
/
How to check Status, Clear, Restore, and Monitor an IPSEC VPN T... -
Knowledge Base - Palo Alto Networks
How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel
637511
Created On 09/25/18 19:10 PM - Last Modified 04/20/20 21:49 PM
*IKE <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panfeature=[IKE]> *
*IPSec <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panfeature=[IPSec]> *
*VPNs <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN
%20techDOCS]&f:@panfeaturecategory=[VPNs]> *
*<https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panosversion=[null]> *
*Hardware <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panproduct=[Hardware]>
*
*PAN-OS <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panproduct=[PAN-OS]> *
Resolution
*Overview*
*Details
1. Initiate VPN ike phase1 and phase2 SA manually.*
*GUI:*
Navigate to Network->IPSec Tunnels
GREEN indicates up
User-added image
RED indicates down
User-added image
You can click on the IKE info to get the details of the Phase1 SA.
*ike phase1 sa up:*
User-added image
*CLI:
ike phase1 sa up:*
OR
If phase-1 SA is down you would not see the peer IP and the Established
status.
*For ikev2*, the IKE Info details appear the same, when you click on IKE
Info
*GUI:*
User-added image
*ikev2 CLI:*
IKEv2 SAs
*GUI:*
Navigate to Network->IPSec Tunnels
GREEN indicates up
User-added image
RED indicates down
User-added image
You can click on the Tunnel info to get the details of the Phase2 SA.
User-added image
*CLI:*
tunnel ipsec-tunnel:lab-proxyid1
id: 139
type: IPSec
gateway id: 38
state: active
session: 568665
monitor: off
protocol: ESP
proxy-id:
protocol: 0
local port: 0
remote port: 0
copy tos: no
authentication errors: 0
decryption errors: 0
replay packets: 0
packets received
when lifetime expired:0
owner state: 0
ownership: 1
Run the above command *show vpn flow tunnel-id <id>, *multiple times to
check the trend in counter values.
Constant increments in authentication errors, decryption errors, replay
packets indicate an issue with the tunnel traffic.
When there is normal traffic flow across the tunnel, the encap/decap
packets/bytes increment.
*5. Clear The following commands will tear down the VPN tunnel:*
Updating results
Actions
* //Print <#>
*
* //Copy Link
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClVGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com
%2FKCSArticleDetail
Choose Language
Company
About Palo Alto Networks <https://www.paloaltonetworks.com/
company>Careers <https://www.paloaltonetworks.com/company/careers>
Legal Notices
Privacy <https://www.paloaltonetworks.com/legal-notices/privacy>Terms of
Use <https://www.paloaltonetworks.com/legal-notices/terms-of-use>
<https://www.facebook.com/PaloAltoNetworks>
<https://www.linkedin.com/company/palo-alto-networks>
<https://twitter.com/PaloAltoNtwks>
<https://www.youtube.com/user/paloaltonetworks>
a51e12a918ebc5e13df4fa789ea5f12b206b9b88618b27aae24c669a71415fa9