PaloAlto - VPN Troubleshooting


Though you can find many reasons for a not working site-to-site VPN in the system log in the GUI, some CLI commands might be useful.

To reveal whether if packets traverse through a VPN connection: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)

#show vpn flow name <value>

Or use the counter values for ipsec issues:

#show counter global filter delta yes | match ipsec

And for a detailled debugging of IKE, enable the debug (without any more options)

#debug ike pcap on

then follow the pcap with

#view-pcap follow yes debug-pcap ikemgr.pcap

and do NOT forget to set the debugging off!

#debug ike pcap off

The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:

#scp export debug-pcap from ikemgr.pcap to <username@host:path>

show log system subtype equal vpn direction equal backward

#show session all filter application ike