The status of the tunnel informs you about
whether or not valid IKE phase-1 and phase-2 SAs have been established,
and whether the tunnel interface is up and available for passing
Because the tunnel interface is a logical interface,
it cannot indicate a physical link status. Therefore, you must enable
tunnel monitoring so that the tunnel interface can verify connectivity
to an IP address and determine if the path is still usable. If the
IP address is unreachable, the firewall will either wait for the
tunnel to recover or failover. When a failover occurs, the existing
tunnel is torn down and routing changes are triggered to set up
a new tunnel and redirect traffic.
Green indicates a valid IPSec SA tunnel.
Red indicates that IPSec SA is not available or has expired.
IKE Gateway Status
Green indicates a valid IKE phase-1 SA.
Red indicates that IKE phase-1 SA is not available or has
Tunnel Interface Status
Green indicates that the tunnel interface is up.
Red indicates that the tunnel interface is down, because
tunnel monitoring is enabled and the status is down.