How to View the Tunnel Flow Details for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect-Gateway

Overview

This document describes how to extract the tunnel ID and context ID for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect Gateway in order to view the tunnel flow information between the gateway and satellite.

 

Details

Use the following CLI command to view the desired gateway tunnel information, corresponding tunnel encapsulation details and make a note of the displayed context ID:

> show global-protect-gateway flow-site-to-site name (specify the tunnel name)

 

Example:

> show global-protect-gateway flow-site-to-site name GP-Gateway-S

 

tunnel  GP-Gateway-S

        id:                4

        type:              GlobalProtect-site-to-site

        local ip:          10.66.24.94

        inner interface:  tunnel.7        outer interface:  ethernet1/3

        ssl cert:          GP-Server-Cert

        active users:      2

 

assigned-ip      remote-ip        MTU  encapsulation

-----------------------------------------------------------------------------------------------

172.17.1.1      10.66.24.96      1420  IPSec SPI 589EA620 (context 8)

7.7.7.2          10.66.24.96      1420  IPSec SPI 589EA620 (context 8)

 

Shown above, the context ID is 8. Use the following CLI command to view the encap/decap context, local/remote SPI values, tunnel monitoring sent/reply packets and other required details:

> show running tunnel flow context 8

 

tunnel  GP-Gateway-S

        id:                    4

        en/decap context type:  SSL-VPN

        encap type:            IPSec

        gateway id:            172.17.1.1

        local ip:              10.66.24.94

        peer ip:                10.66.24.96

        inner interface:        tunnel.7

        outer interface:        ethernet1/3

        state:                  active

        session:                0

        tunnel mtu:            1420

        lifetime remain:        2939 sec

        idled for:              660 seconds

        idle timeout:          432000 seconds

        monitor:                off

        monitor packets seen:  0

        monitor packets reply:  0

        en/decap context:      8

        local spi:              589EA620

        remote spi:            7117F9E7

        key type:              GlobalProtect-site-to-site

        protocol:              ESP/UDP[4501->4501]

        auth algorithm:        SHA1

        enc  algorithm:        AES128

        anti replay check:      yes

        copy tos:              no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:        0

        packets received

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:      3787

        receive sequence:      0

        encap packets:          3787

        decap packets:          0

        encap bytes:            4534560

        decap bytes:            0

        key acquire requests:  0

        owner state:            0

        owner cpuid:            s1dp0

        ownership:              1

 

Note: In LSVPN, the tunnel type is 'GlobalProtect-site-to-site', as shown above. Using the tunnel ID value 4, with the following CLI command, which is meant to view the 'IPSec site-to-site' VPN tunnel flow type will result in a server error message, as shown below:

> show vpn flow tunnel-id 4

 

Server error : tunnel type is not IPSec

 

Also, using the tunnel ID value 4, with the following CLI command, which is meant to view the 'GlobalProtect-Gateway' VPN tunnel flow type will result in a server error message, as shown below:

> show global-protect-gateway flow tunnel-id 4

 

Server error : tunnel type is not GlobalProtect-Gateway

 

owner: gchandrasekaran