How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite
Resolution
Overview
This document describes how to extract the tunnel ID and context ID for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite in order to view the tunnel flow information between the satellite and gateway.
Details
Use the following CLI command to view the desired GlobalProtect Gateway connection information and make a note of the displayed gateway tunnel ID:
> show global-protect-satellite current-gateway gateway (specify gateway fqdn/ip)
satellite (specify satellite name)
Example:
> show global-protect-satellite current-gateway gateway 10.66.24.94 satellite
GP-Satellite
GlobalProtect Satellite : GP-Satellite (1 gateways)
Gateway Info: 10.66.24.94
Get Config State:
Refresh Time (seconds) : 7200
Failed Refresh Time (seconds) : 300
Current Get Config : success
Max Get Config Retries : 34
Number Get Config Failed : 0
Config Timer Activated : yes
Next Get Config Time (seconds) : 5502
Cached Get Config Time (seconds) : 0
Failed Reason :
Portal Config:
GlobalProtect Gateway Name : Gateway-FW-94
GlobalProtect Gateway Address : 10.66.24.94
Priority : 1
Gateway Config:
Gateway Tunnel Name : GP-Gateway-S
Gateway Tunnel Interface : tunnel.6
Gateway Tunnel id : 9
Gateway Tunnel IP : 7.7.7.1
Gateway Additional Tunnel IPs :
Status : Active
Status Time : Jan.14 05:44:33
Reason : Established
Config Refresh Time (hours) : 2
IP Address : 172.17.1.1
Default Gateway : 7.7.7.1
Netmask : 255.255.255.255
Access Routes : 192.168.94.0/24
: 10.66.22.0/23
Denied Routes :
Duplicate Routes :
DNS Servers :
DNS Suffixes :
Tunnel Monitor Enabled : No
Tunnel Monitor Interval : 0 seconds
Tunnel Monitor Action : wait-recover
Tunnel Monitor Threshold : 0 attempts
Tunnel Monitor Source : 172.17.1.1
Tunnel Monitor Destination : 7.7.7.1
Tunnel Monitor Status : No data available
------------------------------------------------------------------------------
Shown above, the tunnel ID is 9. Use the following CLI command to view the tunnel state, tunnel encapsulation details and also to retrieve the context ID:
> show running tunnel flow tunnel-id 9
tunnel GP-Satellite
id: 9
type: GlobalProtect-site-to-site
local ip: 10.66.24.96
inner interface: tunnel.6 outer interface: ethernet1/3
ssl cert: N/A
active users: 1
assigned-ip remote-ip MTU encapsulation
-------------------------------------------------------------
7.7.7.1 10.66.24.94 1420 IPSec SPI CC9CC223 (context 8)
Shown above, the context ID is 8. Use the following CLI command to view the encap/decap context, local/remote SPI values, tunnel monitoring sent/reply packets and other required details:
> show running tunnel flow context 8
tunnel GP-Satellite
id: 9
en/decap context type: SSL-VPN
encap type: IPSec
gateway id: 7.7.7.1
local ip: 10.66.24.96
peer ip: 10.66.24.94
inner interface: tunnel.6
outer interface: ethernet1/3
state: active
session: 2433
tunnel mtu: 1420
lifetime remain: 1462 sec
idled for: 1 seconds
idle timeout: 432000 seconds
monitor: off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 8
local spi: CC9CC223
remote spi: 66291F47
key type: GlobalProtect-site-to-site
protocol: ESP/UDP[4501->4501]
auth algorithm: SHA1
enc algorithm: AES128
anti replay check: yes
copy tos: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 0
receive sequence: 0
encap packets: 0
decap packets: 11594
encap bytes: 0
decap bytes: 14494560
key acquire requests: 0
owner state: 0
owner cpuid: s1dp0
ownership: 1
Note: In LSVPN, the tunnel type is 'GlobalProtect-site-to-site' as shown above. Using the tunnel ID value 9 with the following CLI command, which is meant to view the 'IPSec site-to-site' VPN tunnel flow will result in a server error message as shown below:
> show vpn flow tunnel-id 9
Server error : tunnel type is not IPSec
owner: gchadrasekeran