Skip to main content



Cisco Defense Orchestrator

Search and Filter Site-to-Site VPN Tunnels

Cisco Defense Orchestrator (CDO) enables you to manage IPsec site-to-site virtual private network (VPN) configurations. There are three presentation schemes on the VPN Tunnels page. Each of these views allows users to sort, search and filter tunnels, identify VPN tunnels with issues, and check status of a specific tunnel (active or idle).

  • Global View. An illustration of all site-to-site VPN tunnels available across all FTDs onboarded to your tenant. Open the VPN page and click Global View button in the filter panel. 
    In the following example, the illustration represents that 'FTD_BGL_972' is having a site-to-site connection with FTD_BGL_973 and FTD_BGL_974 devices. 
  • Diagram View. An illustration of only the site-to-site VPN tunnels associated with the FTD you selected. Open the VPN page and click Diagram View in the filter panel.
  • Table View. A complete listing of all site-to-site VPN tunnels available across all ASAs and FTDs onboarded to CDO. A tunnel only exists once in this list. Clicking on a tunnel listed in the table provides an option in the right side bar to navigate directly to a tunnel's peers for further investigation.

In cases where CDO does not manage both sides of a tunnel, you can click Onboard Device to open the main onboarding page an onboard the unmanaged peer. In cases where CDO manages devices for both sides of a tunnel, the Peer 2 column will contain the name of the managed device, otherwise, the peer IP address of the tunnel will be displayed.

Open the VPN page and click Table View to view the Table View.

Use the filter sidebar filter_icon.png in combination with the search field to focus your search of VPN tunnels presented in the VPN tunnel diagram. 

  • Tunnel Issues-Whether or not we have detected either side of the tunnel has issues. Some examples of a device having issues may be but not limited to is: missing associated interface or peer IP address or access list, ikev proposal mismatches, etc
  • Devices/Services-Filter by type of device.
  • Status–Tunnel status can be active or idle. 
    • Active-There is an open session where network packets are traversing the VPN tunnel or a successful session was established and hasn’t been timed-out yet. Active can assist to indicate that tunnel is active and relevant.
    • Idle-CDO was unable to discover an open session for this tunnel, the tunnel may either be not in use or there is an issue with this tunnel.
  • Onboarded-Devices could be managed by CDO or not managed (unmanaged) by CDO. 
  • Device Types - Whether or not either side of the tunnel is a live (connected device) or model device.

You can also search the filtered results by device name or IP address with search being case-insensitive. 

  • Was this article helpful?