How to check Status, Clear, Restore, and

Monitor an IPSEC VPN Tunnel

567477
Created On 09/25/18 19:10 PM - Last Modified 04/20/20 21:49 PM
IKE
IPSEC
VPNS
HARDWARE
PAN-OS

Resolution

Overview

This document can be used to verify the status of an IPSEC tunnel, validate tunnel monitoring, clear the tunnel, and
restore the tunnel.

Details

1. Initiate VPN ike phase1 and phase2 SA manually.

The VPN tunnel is negotiated only when there is interesting traffic destined to the tunnel.(On-demand)
In case you want to manually initiate the tunnel, without the actual traffic you could use the below commands.
Note: Manual initiation is possible only from the CLI.

> test vpn ike-sa

Start time: Dec.04 00:03:37

Initiate 1 IKE SA.

> test vpn ipsec-sa

Start time: Dec.04 00:03:41

Initiate 1 IPSec SA.

2. Check ike phase1 status (in case of ikev1)

GUI:
Navigate to Network->IPSec Tunnels

GREEN indicates up
RED indicates down

You can click on the IKE info to get the details of the Phase1 SA.
ike phase1 sa up:

If ike phase1 sa is down, the ike info would be empty.

CLI:
ike phase1 sa up:

> show vpn ike-sa

IKEv1 phase-1 SAs

GwID/client IP Peer-Address Gateway Name Role Mode Algorithm

Established Expiration V ST Xt Phase2

-------------- ------------ ------------ ---- ---- ---------

----------- ---------- - -- -- ------

38 203.0.113.100 ike-gw Init Main

PSK/DH20/A256/SHA512 Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs

Gateway Name TnID Tunnel GwID/IP Role Algorithm

SPI(in) SPI(out) MsgID ST Xt

------------ ---- ------ ------- ---- ---------

------- -------- ----- -- --

ike-gw 139 ipsec-tunnel:lab-proxy 38 Init

ESP/DH20/tunl/ A25ADE56 C79A64B7 B3E9927A 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

There is no IKEv2 SA found.

ike phase1 sa down:

> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

OR

> show vpn ike-sa

IKEv1 phase-1 SAs

GwID/client IP Peer-Address Gateway Name Role Mode Algorithm

Established Expiration V ST Xt Phase2

-------------- ------------ ------------ ---- ---- ---------

----------- ---------- - -- -- ------

38 203.0.113.100 ike-gw Init Main PSK/ / /

v1 3 2 0

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

If phase-1 SA is down you would not see the peer IP and the Established status.

For ikev2, the IKE Info details appear the same, when you click on IKE Info
GUI:

ikev2 CLI:

> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

There is no IKEv1 phase-2 SA found.

IKEv2 SAs

Gateway ID Peer-Address Gateway Name Role SN Algorithm

Established Expiration Xt Child ST

---------- ------------ ------------ ---- -- ---------

----------- ---------- -- ----- --

38 203.0.113.100 ike-gw Resp 2

PSK/DH20/A256/SHA512 Dec.04 00:10:58 Dec.04 08:10:58 0 1 Established
IKEv2 IPSec Child SAs

Gateway Name TnID Tunnel ID Parent Role

SPI(in) SPI(out) MsgID ST

------------ ---- ------ -- ------ ----

------- -------- ----- --

ike-gw 139 ipsec-tunnel:lab-proxyid1 2 2 Resp

DA76A187 9E1E9372 00000001 Mature

Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

3. To check if phase 2 ipsec tunnel is up:

GUI:
Navigate to Network->IPSec Tunnels

GREEN indicates up

RED indicates down

You can click on the Tunnel info to get the details of the Phase2 SA.

CLI:

> show vpn ipsec-sa

GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out)

life(Sec/KB)

-------------- ---- ------------ --------------- --------- ------- -------- ------------

38 139 203.0.113.100 ipsec-tunnel:lab-proxyid1(ike-gw) ESP/G256/ F2B7CEF0

F248D17B 2269/0

4. Check Encryption and Decryption (encap/decap) across tunnel

Find the tunnel id using below command:

> show vpn flow

total tunnels configured: 1

filter - type IPSec, state any

total IPSec tunnel configured: 1

total IPSec tunnel shown: 1

id name state monitor local-ip

peer-ip tunnel-i/f

-- ---- ----- ------- --------

------- ----------

139 ipsec-tunnel:lab-proxyid1 active off 198.51.100.100

203.0.113.100 tunnel.1

Note: For tunnel monitoring, a monitor status of down is an indicator that the destination IP being monitored is not
reachable, off indicates that tunnel monitor is not configured.

Note the tunnel id, in this example - tunnel id is 139

> show vpn flow tunnel-id 139

tunnel ipsec-tunnel:lab-proxyid1

id: 139

type: IPSec

gateway id: 38

local ip: 198.51.100.100

peer ip: 203.0.113.100

inner interface: tunnel.1

outer interface: ethernet1/1

state: active

session: 568665

tunnel mtu: 1432

soft lifetime: 3579

hard lifetime: 3600

lifetime remain: 2154 sec

lifesize remain: N/A

latest rekey: 1446 seconds ago

monitor: off

monitor packets seen: 0

monitor packets reply:0

en/decap context: 736

local spi: F2B7CEF0

remote spi: F248D17B

key type: auto key

protocol: ESP

auth algorithm: SHA512

enc algorithm: AES256GCM16

proxy-id:

local ip: 10.133.133.0/24

remote ip: 10.134.134.0/24

protocol: 0

local port: 0

remote port: 0

anti replay check: yes

copy tos: no

enable gre encap: no

authentication errors: 0

decryption errors: 0

inner packet warnings: 0

replay packets: 0

packets received

when lifetime expired:0

when lifesize expired:0

sending sequence: 4280

receive sequence: 4280

encap packets: 8153

decap packets: 8153

encap bytes: 717464

decap bytes: 717464

key acquire requests: 90

owner state: 0
 owner cpuid: s1dp0

ownership: 1

Run the above command show vpn flow tunnel-id <id>, multiple times to check the trend in counter values.
Constant increments in authentication errors, decryption errors, replay packets indicate an issue with the tunnel
traffic.
When there is normal traffic flow across the tunnel, the encap/decap packets/bytes increment.

5. Clear The following commands will tear down the VPN tunnel:

> clear vpn ike-sa gateway <gw-name>

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel <tunnel-name>

Delete IKEv1 IPSec SA: Total 1 tunnels found.