How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite

How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite

Created On 09/26/18 13:48 PM - Last Modified 06/09/23 07:49 AM



This document describes how to extract the tunnel ID and context ID for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite in order to view the tunnel flow information between the satellite and gateway.



Use the following CLI command to view the desired GlobalProtect Gateway connection information and make a note of the displayed gateway tunnel ID:

> show global-protect-satellite current-gateway gateway (specify gateway fqdn/ip)
satellite (specify satellite name)



> show global-protect-satellite current-gateway gateway satellite 

GlobalProtect Satellite : GP-Satellite (1 gateways)
Gateway Info:
    Get Config State:
        Refresh Time (seconds)           : 7200
        Failed Refresh Time (seconds)    : 300
        Current Get Config               : success
        Max Get Config Retries           : 34
        Number Get Config Failed         : 0
        Config Timer Activated           : yes
        Next Get Config Time (seconds)   : 5502
        Cached Get Config Time (seconds) : 0
        Failed Reason                    :

    Portal Config:
        GlobalProtect Gateway Name       : Gateway-FW-94
        GlobalProtect Gateway Address    :
        Priority                         : 1

    Gateway Config:
        Gateway Tunnel Name              : GP-Gateway-S
        Gateway Tunnel Interface         : tunnel.6
        Gateway Tunnel id                : 9
        Gateway Tunnel IP                :
        Gateway Additional Tunnel IPs    :
        Status                           : Active
        Status Time                      : Jan.14 05:44:33
        Reason                           : Established
         Config Refresh Time (hours)      : 2
        IP Address                       :
        Default Gateway                  :
        Netmask                          :
        Access Routes                    :
        Denied Routes                    :
        Duplicate Routes                 :
        DNS Servers                      :
        DNS Suffixes                     :
        Tunnel Monitor Enabled           : No
        Tunnel Monitor Interval          : 0 seconds
        Tunnel Monitor Action            : wait-recover
        Tunnel Monitor Threshold         : 0 attempts
        Tunnel Monitor Source            :
        Tunnel Monitor Destination       :
        Tunnel Monitor Status            : No data available


Shown above, the tunnel ID is 9. Use the following CLI command to view the tunnel state, tunnel encapsulation details and also to retrieve the context ID:

> show running tunnel flow tunnel-id 9

tunnel  GP-Satellite
        id:                9
        type:              GlobalProtect-site-to-site
        local ip:
        inner interface:   tunnel.6         outer interface:  ethernet1/3
        ssl cert:          N/A
        active users:      1
assigned-ip      remote-ip        MTU   encapsulation
-------------------------------------------------------------      1420  IPSec SPI CC9CC223 (context 8)


Shown above, the context ID is 8. Use the following CLI command to view the encap/decap context, local/remote SPI values, tunnel monitoring sent/reply packets and other required details:

> show running tunnel flow context 8

tunnel  GP-Satellite
        id:                     9
        en/decap context type:  SSL-VPN
        encap type:             IPSec
        gateway id:   
        local ip:     
        peer ip:      
        inner interface:        tunnel.6
        outer interface:        ethernet1/3
        state:                  active
        session:                2433
        tunnel mtu:             1420
        lifetime remain:        1462 sec
        idled for:              1 seconds
        idle timeout:           432000 seconds
        monitor:                off
        monitor packets seen:   0
        monitor packets reply:  0
        en/decap context:       8
        local spi:              CC9CC223
        remote spi:             66291F47
        key type:               GlobalProtect-site-to-site
        protocol:               ESP/UDP[4501->4501]
        auth algorithm:         SHA1
        enc  algorithm:         AES128
        anti replay check:      yes
        copy tos:               no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       0
        receive sequence:       0
        encap packets:          0
        decap packets:          11594
        encap bytes:            0
        decap bytes:            14494560
        key acquire requests:   0
        owner state:            0
        owner cpuid:            s1dp0
        ownership:              1


Note: In LSVPN, the tunnel type is 'GlobalProtect-site-to-site' as shown above. Using the tunnel ID value 9 with the following CLI command, which is meant to view the 'IPSec site-to-site' VPN tunnel flow will result in a server error message as shown below:

> show vpn flow tunnel-id 9

Server error : tunnel type is not IPSec


owner: gchadrasekeran

  • Print
  • Copy Link

Choose Language