View the Status of the Tunnels
The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because the tunnel interface is a logical interface, it cannot indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down and routing changes are triggered to set up a new tunnel and redirect traffic.
- Select NetworkIPSec Tunnels.
- View the Tunnel Status.
- Green indicates a valid IPSec SA tunnel.
- Red indicates that IPSec SA is not available or has expired.
- View the IKE Gateway Status.
- Green indicates a valid IKE phase-1 SA.
- Red indicates that IKE phase-1 SA is not available or has expired.
- View the Tunnel Interface Status.
To troubleshoot a VPN tunnel that is not yet up, see Interpret VPN Error Messages.
- Green indicates that the tunnel interface is up.
- Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.
IPSec Tunnel Status on the Firewall
IPSec Tunnel Status on the Firewall Network > IPSec Tunnels To view the status of currently defined IPSec VPN tunnels, open the IPSec Tunnels page. ...
Refresh or Restart an IKE Gateway or IPSec Tunnel
Refresh or Restart an IKE Gateway or IPSec Tunnel Keep in mind that the result of restarting an IKE gateway depends on whether it is ...
Site-to-Site VPN with Static Routing
Site-to-Site VPN with Static Routing The following example shows a VPN connection between two sites that use static routes. Without dynamic routing, the tunnel interfaces ...
Tunnel Settings Tab
Tunnel Settings Tab Select Network GlobalProtect Gateways Agent Tunnel Settings to enable tunneling and configure the tunnel parameters. Tunnel parameters are required if you are ...
Site-to-Site VPN with Static and Dynamic Routing
Site-to-Site VPN with Static and Dynamic Routing In this example, one site uses static routes and the other site uses OSPF. When the routing protocol ...
Set Up Tunnel Monitoring
Set Up Tunnel Monitoring To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the ...
Site-to-Site VPN with OSPF
Site-to-Site VPN with OSPF In this example, each site uses OSPF for dynamic routing of traffic. The tunnel IP address on each VPN peer is ...
Network > IPSec Tunnels
Network > IPSec Tunnels Select Network IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the ...
Tunnel Interface To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface for the firewall to ...