How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite

How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite

17049
Created On 09/26/18 13:48 PM - Last Modified 08/05/19 20:11 PM


Resolution

Overview

This document describes how to extract the tunnel ID and context ID for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Satellite in order to view the tunnel flow information between the satellite and gateway.

 

Details

Use the following CLI command to view the desired GlobalProtect Gateway connection information and make a note of the displayed gateway tunnel ID:

> show global-protect-satellite current-gateway gateway (specify gateway fqdn/ip)
satellite (specify satellite name)

 

Example:

> show global-protect-satellite current-gateway gateway 10.66.24.94 satellite 
GP-Satellite

GlobalProtect Satellite : GP-Satellite (1 gateways)
Gateway Info: 10.66.24.94
    Get Config State:
        Refresh Time (seconds)           : 7200
        Failed Refresh Time (seconds)    : 300
        Current Get Config               : success
        Max Get Config Retries           : 34
        Number Get Config Failed         : 0
        Config Timer Activated           : yes
        Next Get Config Time (seconds)   : 5502
        Cached Get Config Time (seconds) : 0
        Failed Reason                    :

    Portal Config:
        GlobalProtect Gateway Name       : Gateway-FW-94
        GlobalProtect Gateway Address    : 10.66.24.94
        Priority                         : 1

    Gateway Config:
        Gateway Tunnel Name              : GP-Gateway-S
        Gateway Tunnel Interface         : tunnel.6
        Gateway Tunnel id                : 9
        Gateway Tunnel IP                : 7.7.7.1
        Gateway Additional Tunnel IPs    :
        Status                           : Active
        Status Time                      : Jan.14 05:44:33
        Reason                           : Established
         Config Refresh Time (hours)      : 2
        IP Address                       : 172.17.1.1
        Default Gateway                  : 7.7.7.1
        Netmask                          : 255.255.255.255
        Access Routes                    : 192.168.94.0/24
                                         : 10.66.22.0/23
        Denied Routes                    :
        Duplicate Routes                 :
        DNS Servers                      :
        DNS Suffixes                     :
        Tunnel Monitor Enabled           : No
        Tunnel Monitor Interval          : 0 seconds
        Tunnel Monitor Action            : wait-recover
        Tunnel Monitor Threshold         : 0 attempts
        Tunnel Monitor Source            : 172.17.1.1
        Tunnel Monitor Destination       : 7.7.7.1
        Tunnel Monitor Status            : No data available
------------------------------------------------------------------------------

 

Shown above, the tunnel ID is 9. Use the following CLI command to view the tunnel state, tunnel encapsulation details and also to retrieve the context ID:

> show running tunnel flow tunnel-id 9

tunnel  GP-Satellite
        id:                9
        type:              GlobalProtect-site-to-site
        local ip:          10.66.24.96
        inner interface:   tunnel.6         outer interface:  ethernet1/3
        ssl cert:          N/A
        active users:      1
 
assigned-ip      remote-ip        MTU   encapsulation
-------------------------------------------------------------
7.7.7.1          10.66.24.94      1420  IPSec SPI CC9CC223 (context 8)

 

Shown above, the context ID is 8. Use the following CLI command to view the encap/decap context, local/remote SPI values, tunnel monitoring sent/reply packets and other required details:

> show running tunnel flow context 8

tunnel  GP-Satellite
        id:                     9
        en/decap context type:  SSL-VPN
        encap type:             IPSec
        gateway id:             7.7.7.1
        local ip:               10.66.24.96
        peer ip:                10.66.24.94
        inner interface:        tunnel.6
        outer interface:        ethernet1/3
        state:                  active
        session:                2433
        tunnel mtu:             1420
        lifetime remain:        1462 sec
        idled for:              1 seconds
        idle timeout:           432000 seconds
        monitor:                off
        monitor packets seen:   0
        monitor packets reply:  0
        en/decap context:       8
        local spi:              CC9CC223
        remote spi:             66291F47
        key type:               GlobalProtect-site-to-site
        protocol:               ESP/UDP[4501->4501]
        auth algorithm:         SHA1
        enc  algorithm:         AES128
        anti replay check:      yes
        copy tos:               no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       0
        receive sequence:       0
        encap packets:          0
        decap packets:          11594
        encap bytes:            0
        decap bytes:            14494560
        key acquire requests:   0
        owner state:            0
        owner cpuid:            s1dp0
        ownership:              1

 

Note: In LSVPN, the tunnel type is 'GlobalProtect-site-to-site' as shown above. Using the tunnel ID value 9 with the following CLI command, which is meant to view the 'IPSec site-to-site' VPN tunnel flow will result in a server error message as shown below:

> show vpn flow tunnel-id 9

Server error : tunnel type is not IPSec

 

owner: gchadrasekeran



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClprCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language