>
    Strata Copilot
    Verify IPSec VPN Tunnel Transmit Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Troubleshooting
    4. Verify IPSec VPN Tunnel Transmit Traffic
    Download PDF
    Network Security

    Verify IPSec VPN Tunnel Transmit Traffic

    Table of Contents

    Verify IPSec VPN Tunnel Transmit Traffic

    This topic explains the architectural limitation causing transmitted inner packets to be missing from packet captures on IPSec tunnel interfaces along with the workround.
    Where Can I Use This?What Do I Need?
    • PAN-OS
    		No license required
    When troubleshooting IPsec VPN traffic using packet capture on a logical tunnel interface (for example, tunnel.1), you may observe incoming packets while the outgoing inner traffic remains invisible.
    In Palo Alto Networks firewalls, the packet capture utility intercepts traffic at four specific dataplane stages: receive (Rx), firewall, drop, and transmit (Tx).
    StageCapture Point Description
    ReceiveCaptured as the packet enters the physical interface.
    FirewallCaptured during the security policy and session lookup.
    DropCaptured if the packet is discarded (for example, threat or policy deny).
    TransmitCaptured as the packet exits; for tunnels, this only shows encrypted data.
    The reason unencrypted "inner" traffic is missing from transmitted (Tx) captures on a logical tunnel interface is due to the sequence of the firewall’s packet-processing pipeline.
    When a packet is destined for an IPsec VPN, the firewall encrypts it before it leaves the device. The observation point for a logical tunnel interface is typically positioned at a stage where the data has already been transformed:
    • Rx (Received): The firewall has already stripped away the encryption, allowing you to see the "clear text" packet as it enters the system.
    • Tx (Transmitted): The firewall performs encryption and encapsulation before the packet reaches the final capture hook.
    By the time the packet is processed for transmission, the original IP header and payload have been wrapped inside an Encapsulating Security Payload (ESP) header. Because the "inner" packet no longer exists in its raw form at the exit point of the logical interface, the packet capture tool only sees the resulting encrypted traffic or, in many cases, misses the transmission stage entirely because the packet has been handed off to the encryption hardware.
    Since you cannot rely on a standard packet capture to view the inner Tx traffic on a tunnel interface, you should use the following methods to verify that traffic is successfully leaving the firewall:
    • Rely on Encapsulation Counters—Verify that the firewall is actively encrypting the traffic rather than looking for the packet itself.
      Run the following CLI command and view the IPSec counters: 
      show vpn flow name <tunnel_name>
      You can also run the following CLI command to check the dataplane counters.
      show counter global filter packet-filter yes delta yes
      If the encapsulation counters are incrementing, it proves that the Tx traffic successfully entered the tunnel.
    • Capture Inner Traffic on the Remote IPsec Peer—To confirm the packet was received and to view the actual inner payload, check the remote peer.
      Run a capture for the same IP pairs on the receiving end (the terminated remote peer) after the traffic has been successfully decrypted.
    • Capture on the Physical Egress Interface and Decrypt—Run the capture on the physical outside interface (for example, ethernet1/1) instead of the logical tunnel interface.
      This allows you to view the encrypted ESP (Protocol 50) or UDP-encapsulated ESP (Port 4500) packets leaving the firewall, which proves the Tx traffic is actually transmitting. You can then export this ESP packet capture and manually decrypt it offline using a capture tool.

    © 2026 Palo Alto Networks, Inc. All rights reserved.