Active tunnel
Showing results for 
Search instead for 
Did you mean: 

Active tunnel

L4 Transporter

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?


L6 Presenter

Hello Infotech,

Tunnel has phase-1 and Phase-2, make sure both are up. There should be two green marks, and not just one.

If one mark is green and other one is RED, then either of the phase is down. Fix the Tunnel.

If both the marks are green, than check traffic log for the destination, packet might be reaching ASA, but no response.


Hardik Shah

Both are marked green on the console I just cannot ping the server on the other side and the server is up and running

- Continuously ping server.

- execute command

show session all filter source <s> destination <d>

- find id based on above command, give output for show session id <id>

- Provide me above output.

If there are c2s packets and 0 packets for s2c, its a ASA issue.

L4 Transporter

Hello Infotech,

Check the System log to troubleshoot.

Verify that you have valid route for network pointed to tunnel interface.

Proxy-IDs for local and remote are configured to match the ASA.

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])


103483  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [136]/HergetVPNZone  ([136])

103622  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [134]/HergetVPNZone  ([134])

103927  undecided      ACTIVE  FLOW[33950]/Inside/6  ([33950])

vsys1                           [135]/HergetVPNZone  ([135])

103316  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [133]/HergetVPNZone  ([133])

103680  undecided      ACTIVE  FLOW[49193]/Inside/6  ([49193])

vsys1                           [135]/HergetVPNZone  ([135])

103032  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [135]/HergetVPNZone  ([135])

103841  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [132]/HergetVPNZone  ([132])

103696  ping           ACTIVE  FLOW[7507]/Inside/1  ([7507])

vsys1                           [137]/HergetVPNZone  ([137])


provide me output for "show session id 103483 "

Session          103483

        c2s flow:
                source: [Inside]
                proto:       1
                sport:       7507            dport:      136
                state:       INIT            type:       FLOW
                src user:    herget_bank_nt\w469pa
                dst user:    unknown
                pbf rule:    Peoria_VPN_ITV3 7

        s2c flow:
                source: [HergetVPNZone]
                proto:       1
                sport:       136             dport:      7507
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    herget_bank_nt\w469pa

        start time                    : Mon Jun 30 16:11:00 2014
        timeout                       : 6 sec
        total byte count(c2s)         : 98
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 1
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ping
        rule                          : To Herget VPNs
        session to be logged at end   : True
        session in session ager       : False
        session synced from HA peer   : False
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : True
        captive portal session        : False
        ingress interface             : vlan.1
        egress interface              : tunnel.1
        session QoS rule              : N/A (class 4)

Its a problem with ASA

Please find my analysis.

layer7 packet count(c2s)      : 1   --- Firewall allowed packet and it sent

        layer7 packet count(s2c)      : 0  --- No reply came from ASA

        egress interface              : tunnel.1- Packet was sent on Tunnel 1

This was the error on the ASA side

4 Jun 30 2014 04:40:04 IPSEC: Received an ESP packet (SPI= 0x878E32A7, sequence number= 0x15C) from (user= to  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as, its source as, and its protocol as tcp.  The SA specifies its local proxy as Peoria-Data/ and its remote_proxy as Sunset-Network/

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!