IPsec tunnel status always in green even remote interface is down
Resolution
The IPsec tunnel status always shows in green even if the remote interface is down or when there is no connectivity.
Until the SA renegotiates, the tunnel will still shows as green.
By default, if the IPsec tunnel is up and if your remote device is down then your ipsec tunnel will not go down until ipsec phase 2 life is expired. Once it's expired it will try to re-negotiate and since the interface is down, the tunnel will go down.
Configure Tunnel monitoring on both the ends.
Tunnel monitoring is used to keep a VPN tunnel communicating with the other VPN endpoint. If a tunnel monitoring profile is created it will specify one of two action options if the tunnel is not available: wait-recover or fail-over. This uses PING packets to monitor the VPN tunnel connectivity sourced from the Tunnel Interface IP. You need to assign an IP address to the tunnel interface for monitoring.
Wait-recover tells the firewall to wait for the tunnel to recover and not take additional action.
Fail-over will force traffic to a back-up path if one is available.
In both cases the firewall will try to negotiate new IPSec keys to accelerate the recovery. This option alerts you of any tunnel failures and to provide automatic failover to another interface.
Other helpful articles: