Palo Alto Networks Knowledgebase: IPSec Tunnel Details

IPSec Tunnel Details

1573
Created On 09/25/18 19:25 PM - Last Updated 09/25/18 23:09 PM
Resolution

When troubleshooting, multiple commands may be needed to gain different pieces of information on an IPSec tunnel. Shown below is one command where a lot of information can be gained and requested from the customer:

Tunnel cmd KB.png

 

Local IP and peer IP: Provides the external IP information of both ends of tunnel where the Phase 1 negotiates.

State: If the tunnel is active or disabled.

Monitor: For tunnel monitoring configuration.

Local SPI and remote SPI: Security parameter index which is unique for each tunnel.

Protocol: Either ESP or AH.

Proxy ID local and peer: Internal subnets on both the local and peer side which can communicate.

Encap and decap packets: If this value is 0 for both, then the tunnel isn't sending any packets and can be down. If encap is 0, then the Palo Alto device isn't sending any encrypted packets to the tunnel. If decap is 0, the Palo Alto device isn't receiving encapsulated packets from the other side.

 

ssunku



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYOCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language