Focus

Network Security

View the Tunnel Status

Table of Contents

Enable, Disable, Refresh, or Restart an IKE Gateway or IPSec Tunnel

View the Tunnel Status

Where Can I Use This?	What Do I Need?
PAN-OS	No license required

The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.

Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic.

PAN-OS

View the IPSec VPN Tunnel status of the firewalls in PAN-OS.

Select

Network

IPSec Tunnels

View the

Tunnel Status

Green indicates a valid IPSec SA tunnel.

Red indicates that IPSec SA isn’t available or has expired.

View the

IKE Gateway Status

Green indicates a valid IKE phase-1 SA.

Red indicates that IKE phase-1 SA isn’t available or has expired.

View the

Tunnel Interface Status

Green indicates that the tunnel interface is up.

Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.

To troubleshoot a VPN tunnel that isn’t yet up, see Interpret VPN Error Messages.

Define a Tunnel Monitoring Profile

Enable, Disable, Refresh, or Restart an IKE Gateway or IPSec Tunnel