>
    Troubleshoot Site-to-Site VPN Issues Using CLI
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Troubleshooting
    4. Troubleshoot Site-to-Site VPN Issues Using CLI
    Download PDF
    Network Security

    Troubleshoot Site-to-Site VPN Issues Using CLI

    Table of Contents

    Troubleshoot Site-to-Site VPN Issues Using CLI

    Troubleshoot site-to-site VPN issues using show, clear, test, and debug commands.
    Where Can I Use This?What Do I Need?
    • PAN-OS
    		No license required
    Use the following CLI commands to troubleshoot phase 1 and phase 2 site-to-site VPN issues:

    Show Commands

    If you want to . . .
    Use . . .
    • Display the basic statistics of all VPN tunnels
    		 
    > show running tunnel flow info
    • Display the IKE SA for a given gateway
    		 
    > show vpn ike-sa gateway <gateway> | match <x.x.x.x/Y>
    • Display the IKE SA for a given tunnel
    		 
    > show vpn ike-sa tunnel <tunnel>
    • Display IPSec counters
    		 
    > show vpn flow
    • Display the list of all IPSec gateways and their configurations
    		 
    > show vpn gateway
    • Display IKE phase 1 SAs
    		 
    > show vpn ike-sa
    • Display IKE phase 2 SAs
    		 
    > show vpn ipsec-sa
    • Display the list of auto-key IPSec tunnel configurations
    		 
    >  show vpn tunnel

    Clear Commands

    If you want to . . .
    Use . . .
    • Delete the IKEv1 IKE SA for a given gateway
    		 
    > clear vpn ike-sa gateway <gateway>
    • Delete the IKEv1 IKE SA for a given tunnel
    		 
    > clear vpn ike-sa tunnel <tunnel>
    • Delete the IKEv1 IPSec SA for a given tunnel
    		 
    > clear vpn ipsec-sa tunnel <tunnel>

    Test Commands

    If you want to . . .
    Use . . .
    • Initiate an IKE negotiation with the designated gateway
    		 
    > test vpn ike-sa gateway <gateway>
    • Initiate an IPSec negotiation for the designated tunnel
    		 
    > test vpn ipsec-sa tunnel <tunnel>

    Debug Commands

    If you want to . . .
    Use . . .
    • Turn on debugging to view detailed logging and status
    		 
    > debug ike global on debug less mp-log ikemgr.log debug ike stat
    • Packet capture to view and to capture main, aggressive, and quick mode negotiations.
    		 
    > debug ike pcap on view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap ikemgr.pcap
    • Turn off debugging
    		 
    > debug ike pcap off

    © 2025 Palo Alto Networks, Inc. All rights reserved.