Overview
This document describes how to extract the tunnel ID and context ID for a 'GlobalProtect-site-to-site' LSVPN from the GlobalProtect Gateway in order to view the tunnel flow information between the gateway and satellite.
Details
Use the following CLI command to view the desired gateway tunnel information, corresponding tunnel encapsulation details and make a note of the displayed context ID:
> show global-protect-gateway flow-site-to-site name (specify the tunnel name)
Example:
> show global-protect-gateway flow-site-to-site name GP-Gateway-S
tunnel GP-Gateway-S
id: 4
type: GlobalProtect-site-to-site
local ip: 10.66.24.94
inner interface: tunnel.7 outer interface: ethernet1/3
ssl cert: GP-Server-Cert
active users: 2
assigned-ip remote-ip MTU encapsulation
-----------------------------------------------------------------------------------------------
172.17.1.1 10.66.24.96 1420 IPSec SPI 589EA620 (context 8)
7.7.7.2 10.66.24.96 1420 IPSec SPI 589EA620 (context 8)
Shown above, the context ID is 8. Use the following CLI command to view the encap/decap context, local/remote SPI values, tunnel monitoring sent/reply packets and other required details:
> show running tunnel flow context 8
tunnel GP-Gateway-S
id: 4
en/decap context type: SSL-VPN
encap type: IPSec
gateway id: 172.17.1.1
local ip: 10.66.24.94
peer ip: 10.66.24.96
inner interface: tunnel.7
outer interface: ethernet1/3
state: active
session: 0
tunnel mtu: 1420
lifetime remain: 2939 sec
idled for: 660 seconds
idle timeout: 432000 seconds
monitor: off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 8
local spi: 589EA620
remote spi: 7117F9E7
key type: GlobalProtect-site-to-site
protocol: ESP/UDP[4501->4501]
auth algorithm: SHA1
enc algorithm: AES128
anti replay check: yes
copy tos: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 3787
receive sequence: 0
encap packets: 3787
decap packets: 0
encap bytes: 4534560
decap bytes: 0
key acquire requests: 0
owner state: 0
owner cpuid: s1dp0
ownership: 1
Note: In LSVPN, the tunnel type is 'GlobalProtect-site-to-site', as shown above. Using the tunnel ID value 4, with the following CLI command, which is meant to view the 'IPSec site-to-site' VPN tunnel flow type will result in a server error message, as shown below:
> show vpn flow tunnel-id 4
Server error : tunnel type is not IPSec
Also, using the tunnel ID value 4, with the following CLI command, which is meant to view the 'GlobalProtect-Gateway' VPN tunnel flow type will result in a server error message, as shown below:
> show global-protect-gateway flow tunnel-id 4
Server error : tunnel type is not GlobalProtect-Gateway
owner: gchandrasekaran