SD-WAN Administration
  • SD-WAN Administration
  • SD-WAN Documentation
  • All Documentation
>
Troubleshooting
Focus
Download PDF
Focus
  1. Home
  2. SD-WAN
  3. Troubleshooting
Download PDF
SD-WAN

Troubleshooting

Table of Contents

Troubleshooting

Troubleshooting SD-WAN using the CLI commands. Monitoring application and link performance and troubleshooting the SD-WAN issues.
Where Can I Use This?What Do I Need?
  • NGFW
Use the Panorama™ management server command-line interface to view SD-WAN information and perform operations.
Use the following CLI commands to view and clear SD-WAN information and view SD-WAN global counters. You can also view VPN tunnel information, BGP information, and SD-WAN interface information.
If You Want to ...
Use ...
View or Clear SD-WAN Information
  • View path names and IDs for an SD-WAN interface, their state, local and peer IP addresses, and tunnel interface number.
 
> show sdwan connection all | <sdwan-interface>
  • View the number and percentage of sessions distributed to each tunnel member of a virtual SD-WAN interface.
 
> show sdwan session distribution policy-name <sdwan-policy-name>
  • View the names of SD-WAN policy rules that send traffic to the specified virtual SD-WAN interface. Additionally, view the traffic distribution method, configured latency, jitter, and packet loss thresholds, link tags identified for the rule, and member tunnel interfaces.
 
> show sdwan rule vif sdwan.x
  • View SD-WAN events such as the path selection and path quality measurements.
    For PAN-0S 10.0.0 and 10.0.1, when you make an SD-WAN configuration change (such as a Path Quality profile change) that results in a different SD-WAN path being selected, the Traffic log does not count or log the path change.
 
> show sdwan event
  • Clear SD-WAN events. 
> clear sdwan event
  • View latency, jitter, and packet loss on a virtual SD-WAN interface (specify interface number or name).
    Latency, jitter, and packet loss measurements are taken and averaged over a three time frames time frame. Each time frame has a health version, which increments when a health parameter value (that exceeds the threshold) changes. In addition to the real time measurement, there is a current use measurement, which displays the value of the parameter the last time the real-time value change exceeded the threshold.
 
> show sdwan path-monitor stats vif <sdwan.x>
> show sdwan path-monitor stats vif <sdwan-interface-name>
  • View the name of the SD-WAN policy rule that the specified session matches, the source and destination tunnel interfaces, the configured latency, jitter, and packet loss percentage for the rule, and the traffic distribution method.
    For PAN-0S 10.0.0 and 10.0.1, when you make an SD-WAN configuration change (such as a Path Quality profile change) that results in a different SD-WAN path being selected, the Traffic log does not count or log the path change.
 
> show sdwan session path-select session-id <session-id>
  • View monitoring mode for the virtual SD-WAN link (Aggressive or Relaxed) and update intervals.
 
> show sdwan path-monitor parameter path-name <sdwan-path-name>
  • View monitoring mode for the virtual SD-WAN interface (Aggressive or Relaxed), update intervals, and probe statistics.
 
> show sdwan path-monitor parameter vif <sdwan.x>
View Global Counters to troubleshoot SD-WAN
  • On a branch, verify that the number of SD-WAN probe Request packets transmitted equals the number of probe Reply packets received.
    On a branch firewall, most SD-WAN tunnels are the initiator, which means the tunnel will have SD-WAN path-monitor probing enabled. 
> show counter global filter delta yes
flow_sdwan_prob_req_tx
flow_sdwan_prob_reply_rx
  • On a hub, verify that the number of SD-WAN probe Request packets received equals the number of probe Reply packets transmitted.
    On a hub firewall, most SD-WAN tunnels are the responder, which means the tunnel will have SD-WAN path-monitor probing disabled. 
> show counter global filter delta yes
flow_sdwan_prob_req_rx
flow_sdwan_prob_reply_tx
View VPN Tunnel Information
  • View all tunnels created on the firewall.
 
> show vpn flow
  • View details of individual tunnels identified by name.
 
> show vpn flow name <name>
  • View details of individual tunnels identified by ID.
 
> show vpn flow tunnel-id <tunnel-id>
  • View IKE Phase 1 and Phase 2 details for all tunnels.
 
> show vpn ike-sa
  • View IKEv2 security associations (SAs) and IKEv2 IPSec child SAs of a specific gateway.
 
> show vpn ike-sa gateway <gateway>
  • View tunnel details.
 
> show vpn tunnel
View BGP Information
  • View the BGP summary for a virtual router.
 
> show routing protocol bgp summary virtual-router <virtual-router>
  • View the BGP peer summary.
 
> show routing protocol bgp peer peer-name <peer-name> virtual-router <virtual-router>
  • View a summary of local RIB.
 
> show routing protocol bgp loc-rib
View SD-WAN Interface Information among RIB and FIB
  • View the new SD-WAN egress interface.
 
> show routing route
  • View SD-WAN interfaces in forwarding information base.
 
> show routing fib
Initiate IKE/IPSec Negotiation
  • Initiate an IKE negotiation with the designated gateway.
 
> test vpn ike-sa gateway <gateway>
  • Initiate an IPSec negotiation for the designated tunnel.
 
> test vpn ipsec-sa tunnel  <tunnel>
Autonomous Digital Experience Management (ADEM) Commands
(PAN-OS 11.1.8 and PAN-OS 11.2.5 versions)
View the following ADEM connection status with SD-WAN plugin:
  • PAN-OS connection to ADEM portal
  • device certificate validity
  • number of applications enabled for testing
 
>show plugins adem status
View all the configured applications tests for an SD-WAN branch.
 
>show plugins adem applications
View the current logging level for ADEM agent. 
>show plugins adem log-level
View the last set of data sent to the ADEM portal. The result will be displayed in the JASON format.
Run request plugins adem enable-message-history command before show plugins adem message.
 
>show plugins adem message
View all the valid path where the ADEM agent has run probes.
 
>show plugins adem paths
View all the SD-WAN tunnel where ADEM agent has run probes.
 
>show plugins adem vpns
Enable the message history for ADEM probes.
 
>request plugins adem enable-message-history
Disable the message history for ADEM probes. 
>request plugins adem disable-message-history
Disable application tests on the SD-WAN branch.
 
>request plugins adem disable-tests
Enable ADEM probes (if disabled manually).
 
>request plugins adem enable-tests
Run an on-demand path test for an application over the desired path.
 
>request plugins adem run-application-path application app_name path path_name
Get the application name by running show plugins adem applications command.
Get the path name by running show plugins adem paths command.
Run an on-demand ping test for an application over the desired path.
 
>request plugins adem run-application-ping application app_name path path_name protocol <icmp|tcp>
Get the application name by running show plugins adem applications command.
Get the path name by running show plugins adem paths command.
Run an on-demand cURL test for an application over the desired path.
 
>request plugins adem run-curl application app_name path path_name
Get the application name by running show plugins adem applications command.
Get the path name by running show plugins adem paths command.
Run an on-demand overlay ping test for an SD-WAN tunnel.
 
>request plugins adem run-vpn-overlay-ping tunnel tunnel_name
Get the tunnel name by running show plugins adem vpns command.
Run on-demand underlay ping test for an SD-WAN tunnel.
 
>request plugins adem run-vpn-underlay-ping tunnel tunnel_name
Get the tunnel name by running show plugins adem vpns command.
Run on-demand underlay path test for an SD-WAN tunnel.
 
>request plugins adem run-vpn-underlay-path tunnel tunnel_name
Get the tunnel name by running show plugins adem vpns command.
Configure the ADEM agent logging levels:
  • Debug—Logs debugging issues.
  • Error—Log only errors.
  • Fatal—Logs only fatal errors.
  • Information—Logs agent activity (default).
  • Verbose—Logs additional debug messages with detailed information.
  • Warning—Logs only warnings and errors.
 
>request plugins adem set-log-level level log_level
View the ADEM log file information. SD-WAN retains the last seven days ADEM log files.
Along with other SD-WAN log files, ADEM log files also are deleted when you perform a PAN-OS upgrade or degrade.
 
>tail follow yes plugins-log <plugin-adem-timestamp.log>
For example: 
>tail follow yes plugins-log plugin-adem-20250131.log
The timestamp must be in yyyymmdd format.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.