When troubleshooting, multiple commands may be needed to gain different pieces of information on an IPSec tunnel. Shown below is one command where a lot of information can be gained and requested from the customer:
Local IP and peer IP: Provides the external IP information of both ends of tunnel where the Phase 1 negotiates.
State: If the tunnel is active or disabled.
Monitor: For tunnel monitoring configuration.
Local SPI and remote SPI: Security parameter index which is unique for each tunnel.
Protocol: Either ESP or AH.
Proxy ID local and peer: Internal subnets on both the local and peer side which can communicate.
Encap and decap packets: If this value is 0 for both, then the tunnel isn't sending any packets and can be down. If encap is 0, then the Palo Alto device isn't sending any encrypted packets to the tunnel. If decap is 0, the Palo Alto device isn't receiving encapsulated packets from the other side.