This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Tunnel flow

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tunnel flow

infotech
L4 Transporter

‎05-30-2014 12:25 PM

How do you check to see if there is bidrectional flow on a vpn tunnel?

0 Likes Likes
3 REPLIES 3

HULK
L7 Applicator

‎05-30-2014 01:25 PM

Hello Infotech,

The SPI (security parameter Index) value will be same for a specific Proxy-ID. Hence there will be a pair of keys for encryption and decryption.  You will be able to see encap/decap or incoming byte/outgoing bytes from tunnel point of view.

> show vpn flow tunnel-id XX ---

Thanks

infotech
L4 Transporter
In response to HULK

‎05-30-2014 01:33 PM

So this is showing flow in and out tunnel7 - so why isn't there communication between my two site connected by this tunnel working?

tunnel  DR_IPSec_Tunnel7

        id:                     130

        type:                   IPSec

        gateway id:             7

        local ip:               66.94.196.107

        peer ip:                66.94.208.114

        inner interface:        tunnel.7

        outer interface:        ethernet1/3

        state:                  active

        session:                4635

        tunnel mtu:             1428

        lifetime remain:        1201 sec

        latest rekey:           2399 seconds ago

        monitor:                off

        monitor packets seen:   0

        monitor packets reply:  0

        en/decap context:       170

        local spi:              9AC6CEDC

        remote spi:             DF67E405

        key type:               auto key

        protocol:               ESP

        auth algorithm:         SHA1

        enc  algorithm:         AES256

        proxy-id local ip:      0.0.0.0/0

        proxy-id remote ip:     0.0.0.0/0

        proxy-id protocol:      0

        proxy-id local port:    0

        proxy-id remote port:   0

        anti replay check:      yes

        copy tos:               no

        authentication errors:  0

        decryption errors:      0

        inner packet warnings:  0

        replay packets:         0

        packets received

          when lifetime expired:0

          when lifesize expired:0

        sending sequence:       734

        receive sequence:       600

        encap packets:          734

        decap packets:          600

        encap bytes:            86352

        decap bytes:            72000

        key acquire requests:   0

0 Likes Likes

HULK
L7 Applicator
In response to infotech

‎05-30-2014 01:54 PM

Hello Infotech,

As i mentioned before, there will be only a pair of keys for encryption and decryption.

local spi:              9AC6CEDC  >>>>>>>>>>>> It will be used for encrypting traffic going into the tunnel.

remote spi:             DF67E405   >>>>>>>>>>> It will be used for decrypting traffic coming through the tunnel from other end FW

So, there is no specific way to track bidirectional flow through the VPN (0.0.0.0/0 proxy ID---- eventually it will pass all traffic through tunnel) .

But, if you configure a specific PROXY-ID, for example SRC-1.1.1.1/32 and DST-2.2.2.2/32 and then you may  monitor the encap packets/decap packets counter to know whether PAN is receiving or sending as well . ( Bidirectional flow).

Thanks

0 Likes Likes
  • 1610 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks