View the Tunnel Status
Focus
Focus
Network Security

View the Tunnel Status

Table of Contents

View the Tunnel Status

Where Can I Use This?
What Do I Need?
  • PAN-OS
  • Strata Cloud Manager
  • No license required
  • AIOps for NGFW Premium license
The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic.

PAN-OS

View the IPSec VPN Tunnel status of the firewalls in PAN-OS.
  1. Select
    Network
    IPSec Tunnels
    .
  2. View the
    Tunnel Status
    .
    • Green indicates a valid IPSec SA tunnel.
    • Red indicates that IPSec SA isn’t available or has expired.
  3. View the
    IKE Gateway Status
    .
    • Green indicates a valid IKE phase-1 SA.
    • Red indicates that IKE phase-1 SA isn’t available or has expired.
  4. View the
    Tunnel Interface Status
    .
    • Green indicates that the tunnel interface is up.
    • Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.
    To troubleshoot a VPN tunnel that isn’t yet up, see Interpret VPN Error Messages.

Strata Cloud Manager

View the IPSec VPN Tunnel status of the firewalls in the Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Select
    Manage
    Configuration
    NGFW and Prisma Access
    Device Settings
    IPSec Tunnels
    and select
    Monitor
    .
  3. Select the
    Configuration Scope
    to view the IPSec VPN tunnel status. You can select a folder or firewall from your
    Folders
    to monitor the IPSec VPN tunnel that you created on the firewalls:
    • To view the status of the IPSec tunnels on all the firewalls, select the
      All Firewalls
      folder.
    • To view the status of the IPSec tunnels for the group of firewalls associated with a folder, select the specific folder.
    • To view the status of the IPSec tunnels on a specific firewall, select the firewall.
    • If you have created the VPN cluster using Auto VPN, then monitor those tunnels in the
      Auto VPN
      (
      Manage
      Configuration
      NGFW and Prisma Access
      Global Settings
      Auto VPN
      ) page.
    • You can monitor only on-premises firewalls and not the components managed by
      Prisma Access
      .
    • Monitoring is disabled at the Global and snippet level. Therefore, you can create an IPSec tunnel in the global or snippet configuration scope, but you can monitor the IPSec tunnel only in the folder or firewall level.
  4. View the
    VPN Cluster Tunnel Status
    that provides the graphical representation of the number of tunnels that are up, the number of tunnels that are down, and the number of tunnels that are partially up.
  5. View the
    IPSec SA Status
    in
    IPSec Tunnels
    .
    • Green (
      UP
      ) indicates a valid IPSec SA tunnel. Select
      UP
      to view detailed information about the IPSec tunnel.
    • Red (
      DOWN
      ) indicates that IPSec SA isn’t available or has expired. Select
      DOWN
      to view the detailed information to interpret the reason for failure.
  6. View the
    IKE SA Status
    in
    IPSec Tunnels
    .
    • Green (
      UP
      ) indicates a valid IKE phase-1 SA. Select
      UP
      to view detailed information about the IKE gateway.
    • Red (
      DOWN
      ) indicates that IKE phase-1 SA isn’t available or has expired. Select
      DOWN
      to view the detailed information to interpret the reason for failure.
  7. View the
    VPN Flow Status
    for VPN traffic flow information in
    IPSec Tunnels
    .
    • Green (
      UP
      ) indicates that the IPSec tunnel is up. Select
      UP
      to view detailed information about the VPN traffic flow.
    • Red (
      DOWN
      ) indicates that the IPSec tunnel is down. Select
      DOWN
      to view the detailed information to interpret the reason for failure.
  8. Select
    Add New Filter
    , and select the field to view the results based on the selected field. For example,
    Add New Filter
    by selecting the
    Device Name
    from the list, to view the IPSec tunnel status for the selected device.
    Select
    Reset Filters
    to remove one or more filters.
  9. Select
    Update Status
    to update all the IPSec tunnel monitoring data present at that level (firewall, folder, or all firewalls).

Recommended For You