Cisco Defense Orchestrator (CDO) enables you to manage IPsec site-to-site virtual private network (VPN) configurations. There are three presentation schemes on the VPN Tunnels page. Each of these views allows users to sort, search and filter tunnels, identify VPN tunnels with issues, and check status of a specific tunnel (active or idle).
View Site-to-Site VPN Tunnels
- Global View. An illustration of all site-to-site VPN tunnels available across all FTDs onboarded to your tenant. Open the VPN page and click Global View button in the filter panel.
In the following example, the illustration represents that 'FTD_BGL_972' is having a site-to-site connection with FTD_BGL_973 and FTD_BGL_974 devices.
- Table View. A complete listing of all site-to-site VPN tunnels available across all ASAs, FTDs, and AWS VPCs onboarded to CDO. A tunnel only exists once in this list. Clicking on a tunnel listed in the table provides an option in the right side bar to navigate directly to a tunnel's peers for further investigation.
In cases where CDO does not manage both sides of a tunnel, you can click Onboard Device to open the main onboarding page an onboard the unmanaged peer. In cases where CDO manages devices for both sides of a tunnel, the Peer 2 column will contain the name of the managed device, otherwise, the peer IP address of the tunnel will be displayed.
Open the VPN page and click Table View to view the Table View.
Filter and Search for Site-to-Site Tunnels in the VPN Tunnels Page
Use the filter sidebar in combination with the search field to focus your search of VPN tunnels presented in the VPN tunnel diagram.
- From the main navigation bar, navigate VPN > Site-to-Site VPN.
- Click the filter icon to open the filter pane.
- Use these filters to refine your search:
- Filter by Device-Click Filter by Device, select the device type tab, and check the devices you want to find by filtering.
- Tunnel Issues-Whether or not we have detected either side of the tunnel has issues. Some examples of a device having issues may be but not limited to is: missing associated interface or peer IP address or access list, IKEv1 proposal mismatches, etc. (Detecting tunnel issues is not yet available for AWS VPC VPN tunnels.)
- Devices/Services-Filter by type of device.
- Status–Tunnel status can be active or idle.
- Active-There is an open session where network packets are traversing the VPN tunnel or a successful session was established and hasn’t been timed-out yet. Active can assist to indicate that tunnel is active and relevant.
- Idle-CDO was unable to discover an open session for this tunnel, the tunnel may either be not in use or there is an issue with this tunnel.
- Onboarded-Devices could be managed by CDO or not managed (unmanaged) by CDO.
- Device Types - Whether or not either side of the tunnel is a live (connected device) or model device.
- You can also search the filtered results by device name or IP address by entering that information in the search bar. The search is case-insensitive.