Palo Alto Networks Knowledgebase: DotW: VPN IPSec Tunnel Status is Red

DotW: VPN IPSec Tunnel Status is Red

17832
Created On 08/05/19 19:56 PM - Last Updated 08/05/19 20:11 PM
Resolution

This week's Discussion of the Week is going to be talking about the thread that member "KotreshaMC" created, VPN IPSEec Tunnel Status is Red. 

 

2016-06-06_dotw-1.pngDiscussion from General Topics talking about IPSEC VPN Tunnel status.

When it comes to working with IPSec VPNs, it can be tricky to understand the status properly, which is why I chose this topic to talk about. 

 

Let's start with the IPSec tunnel status window, which can be accessed from the WebGUI > Network > IPSec Tunnels.

Inside that window, you see the status of all of the IPSec VPN tunnels that you have configured on this firewall.

2016-06-06_dotw-2.pngIPSec Tunnel status window showing both P1 and P2 status of every tunnel on this device.2016-06-06_dotw-3.pngDetail of the second part of the same window showing the IPSec Tunnel Status.

The confusing part about the IPSec Tunnel status window is that there are actually 3 areas that show the current status. I have detailed the "status" below:

  1. Phase 1 - IKE status - Green indicates a valid IKE phase-1 SA or IKEv2 IKE SA. Red indicates that IKE phase-1 SA is not available or has expired. 
  2. Phase 2 - IPSec statusGreen indicates an IPSec phase-2 security association (SA) tunnel. Red indicates that IPSec phase-2 SA is not available or has expired.
  3. IPSec Tunnel Interface statusGreen indicates that the tunnel interface is up (because tunnel monitor is disabled or because tunnel monitor status is UP and the monitoring IP address is reachable). Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote tunnel monitoring IP address is unreachable.

I have personally seen the Phase 2 IPSec showing Green, with Phase 1 IKE showing a Red status, even though the tunnel is showing green, because it is still active.  The next time that IKE is to be renegotiated, it may or may not have an issue, but it's good to be aware of. 

 

To get more detailed information on what is going on when the IPSec Tunnel Interface is showing Red, you will need to go into your logs and look for any errors that may help indicate what the problem is. You also can click the "Tunnel Info" and "IKE Info" text to the right of the "bubble" status to get more info. (A window will appear showing the IKE or IPSec info).

 

See also

If you need to troubleshoot this issue yourself, we recommend two articles that can help:

How to Troubleshoot IPSec VPN connectivity issues

CLI Commands to Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel

 

Read the entire discussion here:

VPN IPSEC tunnel status is Red

 

Thanks for taking the time to read this. 

As always, please let us know how we are doing by leaving comments and questions below.

 

Stay secure! 

Joe Delio



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTeCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language