>
    View the Status of the Tunnels
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. VPNs
    4. Set Up Site-to-Site VPN
    5. Set Up Tunnel Monitoring
    6. View the Status of the Tunnels
    Download PDF

    View the Status of the Tunnels

    Table of Contents
    End-of-Life (EoL)

    View the Status of the Tunnels

    The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
    Because the tunnel interface is a logical interface, it cannot indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down and routing changes are triggered to set up a new tunnel and redirect traffic.
    1. Select NetworkIPSec Tunnels.
    2. View the Tunnel Status.
      • Green indicates a valid IPSec SA tunnel.
      • Red indicates that IPSec SA is not available or has expired.
    3. View the IKE Gateway Status.
      • Green indicates a valid IKE phase-1 SA.
      • Red indicates that IKE phase-1 SA is not available or has expired.
    4. View the Tunnel Interface Status.
      • Green indicates that the tunnel interface is up.
      • Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.
      To troubleshoot a VPN tunnel that is not yet up, see Interpret VPN Error Messages.

    © 2024 Palo Alto Networks, Inc. All rights reserved.