Clear

SearchLoading

<https://sso.paloaltonetworks.com/app/panw-
ciam_sfdcknowledgecommunity_1/exk3jjgpeeZioKZWj0j6/sso/saml?
RelayState=https%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail%3Fid
%3DkA10g000000ClNZCA0>
Clear
SearchLoading

customer support portal

csp
<https://support.paloaltonetworks.com/SupportAccount/MyAccount/0>

Home <https://support.paloaltonetworks.com/SupportAccount/MyAccount/0>
*

Resources
/

How to check Status, Clear, Restore, and Monitor an IPSEC VPN T... -
Knowledge Base - Palo Alto Networks

How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel

637511
Created On 09/25/18 19:10 PM - Last Modified 04/20/20 21:49 PM
*IKE <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panfeature=[IKE]> *
*IPSec <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panfeature=[IPSec]> *
*VPNs <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN
%20techDOCS]&f:@panfeaturecategory=[VPNs]> *
*<https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panosversion=[null]> *
*Hardware <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panproduct=[Hardware]>
*
*PAN-OS <https://support.paloaltonetworks.com/
search#f:@source=[Salesforce%20Knowledge,PAN%20techDOCS]&f:@panproduct=[PAN-OS]> *

Resolution

*Overview*

This document can be used to verify the status of an IPSEC tunnel,

validate tunnel monitoring, clear the tunnel, and restore the tunnel.

*Details
1. Initiate VPN ike phase1 and phase2 SA manually.*

The VPN tunnel is negotiated only when there is interesting traffic

destined to the tunnel.(On-demand)
In case you want to manually initiate the tunnel, without the actual
traffic you could use the below commands.
/Note: Manual initiation is possible only from the CLI./

> test vpn ike-sa

Start time: Dec.04 00:03:37

Initiate 1 IKE SA.

> test vpn ipsec-sa

Start time: Dec.04 00:03:41

Initiate 1 IPSec SA.

*2. Check ike phase1 status (in case of ikev1)*

*GUI:*
Navigate to Network->IPSec Tunnels

GREEN indicates up
User-added image
RED indicates down
User-added image

You can click on the IKE info to get the details of the Phase1 SA.
*ike phase1 sa up:*
User-added image

/If ike phase1 sa is down, the ike info would be empty./

*CLI:
ike phase1 sa up:*

*> show vpn ike-sa *

IKEv1 phase-1 SAs

GwID/client IP Peer-Address Gateway Name Role Mode Algorithm

Established Expiration V ST Xt Phase2

-------------- ------------ ------------ ---- ---- ---------

----------- ---------- - -- -- ------

38 203.0.113.100 ike-gw Init Main

PSK/DH20/A256/SHA512 Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1 1
Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs

Gateway Name TnID Tunnel GwID/IP Role

Algorithm SPI(in) SPI(out) MsgID ST Xt

------------ ---- ------ ------- ----

--------- ------- -------- ----- -- --

ike-gw 139 ipsec-tunnel:lab-proxy 38 Init

ESP/DH20/tunl/ A25ADE56 C79A64B7 B3E9927A 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

There is no IKEv2 SA found.

*ike phase1 sa down:*

*> show vpn ike-sa*

There is no IKEv1 phase-1 SA found.

OR

*> show vpn ike-sa*

IKEv1 phase-1 SAs

GwID/client IP Peer-Address Gateway Name Role Mode Algorithm

Established Expiration V ST Xt Phase2

-------------- ------------ ------------ ---- ---- ---------

----------- ---------- - -- -- ------

38 203.0.113.100 ike-gw Init Main PSK/ /

/ v1 3 2 0

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

If phase-1 SA is down you would not see the peer IP and the Established
status.

*For ikev2*, the IKE Info details appear the same, when you click on IKE
Info
*GUI:*
User-added image

*ikev2 CLI:*

> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

There is no IKEv1 phase-2 SA found.

IKEv2 SAs

Gateway ID Peer-Address Gateway Name Role SN

Algorithm Established Expiration Xt Child ST

---------- ------------ ------------ ---- --

--------- ----------- ---------- -- ----- --

38 203.0.113.100 ike-gw Resp 2

PSK/DH20/A256/SHA512 Dec.04 00:10:58 Dec.04 08:10:58 0 1 Established

IKEv2 IPSec Child SAs

Gateway Name TnID Tunnel ID Parent Role

SPI(in) SPI(out) MsgID ST

------------ ---- ------ -- ------ ----

------- -------- ----- --

ike-gw 139 ipsec-tunnel:lab-proxyid1 2 2 Resp

DA76A187 9E1E9372 00000001 Mature

Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

*3. To check if phase 2 ipsec tunnel is up:*

*GUI:*
Navigate to Network->IPSec Tunnels

GREEN indicates up
User-added image
RED indicates down

User-added image

You can click on the Tunnel info to get the details of the Phase2 SA.
User-added image

*CLI:*

*> show vpn ipsec-sa *

GwID/client IP TnID Peer-Address

Tunnel(Gateway) Algorithm
SPI(in) SPI(out) life(Sec/KB)

-------------- ---- ------------ ---------------

--------- ------- --------
------------
38 139 203.0.113.100 ipsec-tunnel:lab-
proxyid1(ike-gw) ESP/G256/ F2B7CEF0 F248D17B
2269/0

*4. Check Encryption and Decryption (encap/decap) across tunnel*

Find the tunnel id using below command:

*> show vpn flow *

total tunnels configured: 1

filter - type IPSec, state any

total IPSec tunnel configured: 1

total IPSec tunnel shown: 1

id name state monitor local-ip

peer-ip tunnel-i/f

-- ---- ----- ------- --------

------- ----------

139 ipsec-tunnel:lab-proxyid1 active off 198.51.100.100

203.0.113.100 tunnel.1

*Note:* For tunnel monitoring, a monitor status of down is an indicator

that the destination IP being monitored is not reachable, off indicates
that tunnel monitor is not configured.

Note the tunnel id, in this example - tunnel id is 139

*> show vpn flow tunnel-id 139*

tunnel ipsec-tunnel:lab-proxyid1

id: 139

type: IPSec

gateway id: 38

local ip: 198.51.100.100

peer ip: 203.0.113.100

inner interface: tunnel.1

outer interface: ethernet1/1

state: active

session: 568665

tunnel mtu: 1432

soft lifetime: 3579

hard lifetime: 3600

lifetime remain: 2154 sec

lifesize remain: N/A

latest rekey: 1446 seconds ago

monitor: off

monitor packets seen: 0

monitor packets reply:0

en/decap context: 736

local spi: F2B7CEF0

remote spi: F248D17B

key type: auto key

protocol: ESP

auth algorithm: SHA512

enc algorithm: AES256GCM16

proxy-id:

local ip: 10.133.133.0/24

remote ip: 10.134.134.0/24

protocol: 0

local port: 0

remote port: 0

anti replay check: yes

copy tos: no

enable gre encap: no

authentication errors: 0

decryption errors: 0

inner packet warnings: 0

replay packets: 0

packets received
 when lifetime expired:0

when lifesize expired:0

sending sequence: 4280

receive sequence: 4280

encap packets: 8153

decap packets: 8153

encap bytes: 717464

decap bytes: 717464

key acquire requests: 90

owner state: 0

owner cpuid: s1dp0

ownership: 1

Run the above command *show vpn flow tunnel-id <id>, *multiple times to
check the trend in counter values.
Constant increments in authentication errors, decryption errors, replay
packets indicate an issue with the tunnel traffic.
When there is normal traffic flow across the tunnel, the encap/decap
packets/bytes increment.

*5. Clear The following commands will tear down the VPN tunnel:*

> clear vpn ike-sa gateway <gw-name>

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel <tunnel-name>

Delete IKEv1 IPSec SA: Total 1 tunnels found.

Other users also viewed:

Updating results
Actions

* //Print <#>
*
* //Copy Link

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClVGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com
%2FKCSArticleDetail

Choose Language

Company
About Palo Alto Networks <https://www.paloaltonetworks.com/
company>Careers <https://www.paloaltonetworks.com/company/careers>

Legal Notices

Privacy <https://www.paloaltonetworks.com/legal-notices/privacy>Terms of
Use <https://www.paloaltonetworks.com/legal-notices/terms-of-use>

<https://www.facebook.com/PaloAltoNetworks>

<https://www.linkedin.com/company/palo-alto-networks>

<https://twitter.com/PaloAltoNtwks>

<https://www.youtube.com/user/paloaltonetworks>

© 2024 Palo Alto Networks, Inc. All rights reserved.

a51e12a918ebc5e13df4fa789ea5f12b206b9b88618b27aae24c669a71415fa9