Skip to main content



Cisco Defense Orchestrator

Virtual Private Network Management

IPsec Site-to-Site Virtual Private Network Management

Cisco Defense Orchestrator (CDO) enables you to manage virtual private network (VPN) configuration on your ASA and ASAv devices. With device onboarding, relevant configurations for IPSec Site-to-Site VPN tunnels are parsed, processed, and presented to the user. There are two presentation schemes:

  • Table View. A complete view of all Site-to-Site VPN tunnels available across all ASAs onboarded to CDO. This view enable users to sort, search and filter across all tunnels, and identity VPN tunnels issues such as the tunnel connectivity state, its key encryption policy as well as the ability to check status of a specific tunnel (active or idle).
  • Diagram View. CDO also provides a linkage, leveraging a tunnel illustration diagram, between all tunnel peers in order to show connections in a ‘Hub & Spoke’ model.

Use Cases

Managing IPsec Site-to-Site VPN configuration through CDO, a user can:
  • View all configured VPN tunnels, connectivity status and last successful established date
  • View key exchange for all tunnels for obsolete or low encryption tunnels
  • Identify VPN issues such as:
    • Missing peer IP address
    • IKEv1 or IKEv2 keys are invalid, missing, or mismatched
    • Incomplete or misconfigured access lists defined for a given tunnel

Connectivity Status

Tunnels for all onboarded devices are monitored on an hourly basis to identify the status of that tunnel, either Active or Idle. On-demand status checks can be performed by clicking the “Check Status” button for the selected tunnel. These are the tunnel status types: 

  • Active - There is an open session where network packets are traversing the VPN tunnel or a successful session was established and has not timed-out.
  • Idle - CDO was unable to discover an open session for this tunnel. The VPN tunnel may either be not in use or there is an issue with this tunnel requiring further investigation

Connectivity check command run: sh vpn-sessiondb l2l ipaddress

Last Active field indicates the last time CDO discovered the tunnel connectivity status as set to Active. Note that Model ASA device(s), tunnels will always show as Idle.

Search and Filter VPN Tunnels

Cisco Defense Orchestrator provides users the ability to narrow and focus search results when navigating the device and organization views. The table view provides a full view across all tunnels available in your organization and the tunnel diagram view presents up to 25 VPN tunnels. In both table and diagram views, users can pivot to a specific tunnel by using filters including: Devices (managed or unmanaged by CDO), device names, connectivity status. Users can search on the device name and the ASA’s IP address.

  • Tunnel Issues - Allows you to easily locate VPN Tunnels with connectivity issues. See Identify VPN Issues for more information.
  • Status - Tunnel status, see connectivity status checks section for more information.
  • Managed/Unmanaged - Indicates if the device is under CDO management, or not.
  • Live/Model - Provide the ability to filter based on a live managed device or an ASA Model configuration
  • Was this article helpful?