How to check the PA Tunnel status from ZTNA connector

How to check the PA Tunnel status from ZTNA connector

856
Created On 08/04/25 01:20 AM - Last Modified 10/27/25 16:22 PM


Objective


  • The ZTNA Connector establish tunnels with nearest PA location based on the latency.
  • The tunnel might go down due to the external factor which can break the Phase-1 or Phase-2 communication
  • This document outline the procedure to find appropriate logs which might causing the PA tunnels to go down.

Environment


  • ZTNA Connector
  • Prisma Access(SASE)

 

Procedure


  1. There are two component of the ZTNA connector in terms of connectivity.
  2. The details can be visible under Workflow > ZTNA Connector > Connectors 

 

    • Control Plane: This is the controller connectivity with the ZTNA connector, once the Control Plane is up, logs can be taken from the connector.
    • Tunnel: The Tunnels are built with the PA Location which is selected from the ZTNA connector location based on the latency. The nearest region will be selected based on the latency.

 

  1. If the tunnels are down and Control Plane is up, check the logs mentioned below:
    • Click on tech support : Generate a tech support file & download the file to your local machine.
    • Find the keyword “dump servicelink summary all”.
    • Check for the below entries below.
    1. dump servicelink summary all=true

    -------------- SERVICE LINKS ----------------------------------
    Total : 1
    TotalUP : 0
    TotalDown : 1
    ---------------------------------------------------------------
    SlDev SlName Status ExtState
    ParentDev LocalIP Peer Type IpsecProfile
    ---------------------------------------------------------------
    sl1 ipsec
    _
    b88df7c3-fd39-4fa1-86d9-test down tunnel
    _
    bring
    _
    up
    eth0 10.8.25.51 x.y.181.177 IPsec
    ZTNA
    _
    b88df7c3-fd39-4fa1-86d9-34cb0bdtest
      • The TotalUp =0 indicates no tunnel is up. TotalDown: 1 indicates 1 tunnel is down.
      • Note the PaloAlto  (PA) IP address used for the tunnel  (in this example x.y.181.177).
      • Click on the diagnosis : Check the reachability from the external interface if the peer is reachable.
      • Click on Packet Capture & select the external interface and add the PA IP to collect a capture.

     

    1. Open a support ticket if assistance is needed.

       

      Additional Information


      For more details refer to Prisma Access ZTNA Connector.
      Other users also viewed:
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNhzKAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail