Palo Alto Networks Knowledgebase: How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel

How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel

94216
Created On 12/04/19 08:29 AM - Last Updated 12/04/19 08:31 AM
IKE IPSec VPNs Hardware PAN-OS
Resolution

Overview

This document can be used to verify the status of an IPSEC tunnel, validate tunnel monitoring, clear the tunnel, and restore the tunnel.


Details

1. Initiate VPN ike phase1 and phase2 SA manually.


The VPN tunnel is negotiated only when there is interesting traffic destined to the tunnel.(On-demand)
In case you want to manually initiate the tunnel, without the actual traffic you could use the below commands.
Note: Manual initiation is possible only from the CLI.


> test vpn ike-sa 


Start time: Dec.04 00:03:37

Initiate 1 IKE SA.


> test vpn ipsec-sa 


Start time: Dec.04 00:03:41

Initiate 1 IPSec SA.

 

2. Check ike phase1 status (in case of ikev1)

GUI:
Navigate to Network->IPSec Tunnels

GREEN indicates up
User-added image
RED indicates down
User-added image

You can click on the IKE info to get the details of the Phase1 SA. 
ike phase1 sa up:
User-added image

If ike phase1 sa is down, the ike info would be empty.


CLI:
ike phase1 sa up:

 
> show vpn ike-sa 

IKEv1 phase-1 SAs

GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2

--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------

38              203.0.113.100          ike-gw                 Init Main PSK/DH20/A256/SHA512  Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1  1      

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

IKEv1 phase-2 SAs

Gateway Name           TnID     Tunnel                 GwID/IP          Role Algorithm          SPI(in)  SPI(out) MsgID    ST Xt 

------------           ----     ------                 -------          ---- ---------          -------  -------- -----    -- -- 

ike-gw                 139      ipsec-tunnel:lab-proxy 38               Init ESP/DH20/tunl/     A25ADE56 C79A64B7 B3E9927A 9  1   

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

There is no IKEv2 SA found.


ike phase1 sa down:

> show vpn ike-sa

There is no IKEv1 phase-1 SA found.


OR

> show vpn ike-sa

IKEv1 phase-1 SAs

GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2

--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------

38              203.0.113.100          ike-gw                 Init Main PSK/    /    /                                        v1 3  2  0      

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


If phase-1 SA is down you would not see the peer IP and the Established status.

For ikev2, the IKE Info details appear the same, when you click on IKE Info
GUI:
User-added image

ikev2 CLI:

> show vpn ike-sa 


There is no IKEv1 phase-1 SA found.


There is no IKEv1 phase-2 SA found.



IKEv2 SAs

Gateway ID      Peer-Address           Gateway Name           Role SN       Algorithm             Established     Expiration      Xt Child  ST                  

----------      ------------           ------------           ---- --       ---------             -----------     ----------      -- -----  --                  

38              203.0.113.100          ike-gw                 Resp 2        PSK/DH20/A256/SHA512  Dec.04 00:10:58 Dec.04 08:10:58 0  1      Established          


IKEv2 IPSec Child SAs

Gateway Name           TnID     Tunnel                    ID       Parent   Role SPI(in)  SPI(out) MsgID    ST              

------------           ----     ------                    --       ------   ---- -------  -------- -----    --              

ike-gw                 139      ipsec-tunnel:lab-proxyid1 2        2        Resp DA76A187 9E1E9372 00000001 Mature           


Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.



3. To check if phase 2 ipsec tunnel is up:

GUI:
Navigate to Network->IPSec Tunnels

GREEN indicates up
User-added image
RED indicates down

User-added image

You can click on the Tunnel info to get the details of the Phase2 SA.
User-added image

CLI:

> show vpn ipsec-sa

GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)            

--------------  ----   ------------           ---------------                                ---------          -------  -------- ------------            

38              139    203.0.113.100          ipsec-tunnel:lab-proxyid1(ike-gw)              ESP/G256/          F2B7CEF0 F248D17B 2269/0        



4. Check Encryption and Decryption (encap/decap) across tunnel

Find the tunnel id using below command:

> show vpn flow 

total tunnels configured:                                     1

filter - type IPSec, state any

total IPSec tunnel configured:                                1

total IPSec tunnel shown:                                     1

id    name                          state   monitor local-ip                      peer-ip                       tunnel-i/f  

--    ----                          -----   ------- --------                      -------                       ----------  

139   ipsec-tunnel:lab-proxyid1     active  off     198.51.100.100                203.0.113.100                 tunnel.1  


Note: For tunnel monitoring, a monitor status of down is an indicator that the destination IP being monitored is not reachable, off indicates that tunnel monitor is not configured.

Note the tunnel id, in this example - tunnel id is 139

> show vpn flow tunnel-id 139

tunnel  ipsec-tunnel:lab-proxyid1

        id:                     139

        type:                   IPSec

        gateway id:             38

        local ip:               198.51.100.100

        peer ip:                203.0.113.100

        inner interface:        tunnel.1 

        outer interface:        ethernet1/1

        state:                  active

        session:                568665

        tunnel mtu:             1432

        soft lifetime:          3579

        hard lifetime:          3600

        lifetime remain:        2154 sec

        lifesize remain:        N/A

        latest rekey:           1446 seconds ago

        monitor:                off

          monitor packets seen: 0

          monitor packets reply:0

        en/decap context:       736       

        local spi:              F2B7CEF0

        remote spi:             F248D17B

        key type:               auto key

        protocol:               ESP

        auth algorithm:         SHA512

        enc  algorithm:         AES256GCM16

        proxy-id:

          local ip:             10.133.133.0/24

          remote ip:            10.134.134.0/24

          protocol:             0  

          local port:           0   

          remote port:          0

        anti replay check:      yes

        copy tos:               no

        enable gre encap:       no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:         0

        packets received 

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:       4280

        receive sequence:       4280

        encap packets:          8153

        decap packets:          8153

        encap bytes:            717464

        decap bytes:            717464

        key acquire requests:   90

        owner state:            0

        owner cpuid:            s1dp0

        ownership:              1

Run the above command  show vpn flow tunnel-id <id>, multiple times to check the trend in counter values.
Constant increments in authentication errors, decryption errors, replay packets indicate an issue with the tunnel traffic.
When there is normal traffic flow across the tunnel, the encap/decap packets/bytes increment.


5. Clear The following commands will tear down the VPN tunnel:

> clear vpn ike-sa gateway <gw-name>
Delete IKEv1 IKE SA: Total 1 gateways found.
 
> clear vpn ipsec-sa tunnel <tunnel-name>
Delete IKEv1 IPSec SA: Total 1 tunnels found.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language