Palo Alto Networks Knowledgebase: DotW: VPN IPSec Tunnel Status is Red
DotW: VPN IPSec Tunnel Status is Red
Created On 09/25/18 19:03 PM - Last Updated 08/05/19 20:11 PM
This week's Discussion of the Week is going to be talking about the thread that member "KotreshaMC" created, VPN IPSEec Tunnel Status is Red.
Discussion from General Topics talking about IPSEC VPN Tunnel status.
When it comes to working with IPSec VPNs, it can be tricky to understand the status properly, which is why I chose this topic to talk about.
Let's start with the IPSec tunnel status window, which can be accessed from the WebGUI > Network > IPSec Tunnels.
Inside that window, you see the status of all of the IPSec VPN tunnels that you have configured on this firewall.
IPSec Tunnel status window showing both P1 and P2 status of every tunnel on this device.Detail of the second part of the same window showing the IPSec Tunnel Status.
The confusing part about the IPSec Tunnel status window is that there are actually 3 areas that show the current status. I have detailed the "status" below:
Phase 1 - IKE status - Green indicates a valid IKE phase-1 SA or IKEv2 IKE SA. Red indicates that IKE phase-1 SA is not available or has expired.
Phase 2 - IPSec status - Green indicates an IPSec phase-2 security association (SA) tunnel. Red indicates that IPSec phase-2 SA is not available or has expired.
IPSec Tunnel Interface status - Green indicates that the tunnel interface is up (because tunnel monitor is disabled or because tunnel monitor status is UP and the monitoring IP address is reachable). Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable.
I have personally seen the Phase 2 IPSec showing Green, with Phase 1 IKE showing a Red status, even though the tunnel is showing green, because it is still active. The next time that IKE is to be renegotiated, it may or may not have an issue, but it's good to be aware of.
To get more detailed information on what is going on when the IPSec Tunnel Interface is showing Red, you will need to go into your logs and look for any errors that may help indicate what the problem is. You also can click the "Tunnel Info" and "IKE Info" text to the right of the "bubble" status to get more info. (A window will appear showing the IKE or IPSec info).
If you need to troubleshoot this issue yourself, we recommend two articles that can help: