https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152761#M50487 <P>What happens behind the scenes when you run..</P><P>&nbsp;</P><P>test vpn ike-sa gateway &lt;name&gt;</P><P>&nbsp;</P><P>or</P><P>&nbsp;</P><P>test vpn ipsec-sa tunnel &lt;name&gt;</P><P>&nbsp;</P><P>Is there a debug which will show you the test packets sent/received?</P><P>&nbsp;</P> Sun, 16 Apr 2017 22:42:46 GMT palomed 2017-04-16T22:42:46Z https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152761#M50487 <P>What happens behind the scenes when you run..</P><P>&nbsp;</P><P>test vpn ike-sa gateway &lt;name&gt;</P><P>&nbsp;</P><P>or</P><P>&nbsp;</P><P>test vpn ipsec-sa tunnel &lt;name&gt;</P><P>&nbsp;</P><P>Is there a debug which will show you the test packets sent/received?</P><P>&nbsp;</P> Sun, 16 Apr 2017 22:42:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152761#M50487 palomed 2017-04-16T22:42:46Z https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152772#M50488 <P>test vpn ike-sa gateway &lt;name&gt;</P><P>Will negotiate VPN Phase 1 with VPN Peer.</P><P>&nbsp;</P><P>test vpn ipsec-sa tunnel &lt;name&gt;</P><P>Will negotiate VPN Phase 1 and if this is successful then Phase 2 with VPN Peer.</P><P>&nbsp;</P><P>If you troubleshoot VPN and try to initiate traffic from workstation they you have to have routing and firewall rules correct.</P><P>Using those commands help you to verify if underlying VPN is set correctly without checking routing or security policies.</P><P>&nbsp;</P><P>If you use those commands then your firewall is initiator. If VPN config does not match then responder does not tell you what is wrong so not much troubleshooting you can do at initiator side.</P><P>&nbsp;</P><P>If Palo is responder then you can take packet capture to troubleshoot Phase 1 settings and ike pcap to troubleshoot Phase 2.</P><P><A title="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187" href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187</A></P> Mon, 17 Apr 2017 03:08:08 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152772#M50488 Raido_Rattameister 2017-04-17T03:08:08Z https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152808#M50493 <P>In addition to the&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;comment,&nbsp;VPN &nbsp;the only effective way to troubleshoot is to check the logs from the responder side. Responder side will say why VPN is failing and record everything into the&nbsp;log file but it will not send this info to the initiator. This is per design. Similar we can compare when we submitting our credentials to the other side. We only see a message "your username or password is incorrect". But another side has all records exactly&nbsp;why.</P> Mon, 17 Apr 2017 10:22:44 GMT https://live.paloaltonetworks.com/t5/general-topics/how-vpn-test-commands-work/m-p/152808#M50493 TranceforLife 2017-04-17T10:22:44Z