Focus

Network Security

Troubleshoot Site-to-Site VPN Issues Using CLI

Table of Contents

Troubleshoot Your IPSec VPN Tunnel Connection

Quantum Security Concepts

Troubleshoot Site-to-Site VPN Issues Using CLI

Troubleshoot site-to-site VPN issues using show, clear, test, and debug commands.

Where Can I Use This?	What Do I Need?
PAN-OS	No license required

Use the following CLI commands to troubleshoot phase 1 and phase 2 site-to-site VPN issues:

Show Commands

If you want to . . .	Use . . .
Display the basic statistics of all VPN tunnels	> show running tunnel flow info
Display the IKE SA for a given gateway	> show vpn ike-sa gateway `<gateway>` \| match `<x.x.x.x/Y>`
Display the IKE SA for a given tunnel	> show vpn ike-sa tunnel `<tunnel>`
Display IPSec counters	> show vpn flow
Display the list of all IPSec gateways and their configurations	> show vpn gateway
Display IKE phase 1 SAs	> show vpn ike-sa
Display IKE phase 2 SAs	> show vpn ipsec-sa
Display the list of auto-key IPSec tunnel configurations	> show vpn tunnel

Clear Commands

If you want to . . .	Use . . .
Delete the IKEv1 IKE SA for a given gateway	> clear vpn ike-sa gateway `<gateway>`
Delete the IKEv1 IKE SA for a given tunnel	> clear vpn ike-sa tunnel `<tunnel>`
Delete the IKEv1 IPSec SA for a given tunnel	> clear vpn ipsec-sa tunnel `<tunnel>`

Test Commands

If you want to . . .	Use . . .
Initiate an IKE negotiation with the designated gateway	> test vpn ike-sa gateway `<gateway>`
Initiate an IPSec negotiation for the designated tunnel	> test vpn ipsec-sa tunnel `<tunnel>`

Debug Commands

If you want to . . .	Use . . .
Turn on debugging to view detailed logging and status	> debug ike global on debug less mp-log ikemgr.log debug ike stat
Packet capture to view and to capture main, aggressive, and quick mode negotiations.	> debug ike pcap on view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
Turn off debugging	> debug ike pcap off

Troubleshoot Your IPSec VPN Tunnel Connection

Quantum Security Concepts