IPSec Tunnel Details

IPSec Tunnel Details

Created On 09/25/18 19:25 PM - Last Modified 06/09/23 08:01 AM


When troubleshooting, multiple commands may be needed to gain different pieces of information on an IPSec tunnel. Shown below is one command where a lot of information can be gained and requested from the customer:

Tunnel cmd KB.png


Local IP and peer IP: Provides the external IP information of both ends of tunnel where the Phase 1 negotiates.

State: If the tunnel is active or disabled.

Monitor: For tunnel monitoring configuration.

Local SPI and remote SPI: Security parameter index which is unique for each tunnel.

Protocol: Either ESP or AH.

Proxy ID local and peer: Internal subnets on both the local and peer side which can communicate.

Encap and decap packets: If this value is 0 for both, then the tunnel isn't sending any packets and can be down. If encap is 0, then the Palo Alto device isn't sending any encrypted packets to the tunnel. If decap is 0, the Palo Alto device isn't receiving encapsulated packets from the other side.



  • Print
  • Copy Link


Choose Language