Though you can find many reasons for a not working site-to-site VPN in the system log in the GUI, some CLI commands might be useful.
To reveal whether if packets traverse through a VPN connection: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)
#show vpn flow name <value>
Or use the counter values for ipsec issues:
#show counter global filter delta yes | match ipsec
And for a detailled debugging of IKE, enable the debug (without any more options)
#debug ike pcap on
then follow the pcap with
#view-pcap follow yes debug-pcap ikemgr.pcap
and do NOT forget to set the debugging off!
#debug ike pcap off
The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:
#scp export debug-pcap from ikemgr.pcap to <username@host:path>
show log system subtype equal vpn direction equal backward
#show session all filter application ike