Skip to main content



Cisco Defense Orchestrator

Identify VPN Issues

Use this procedure to filter your list of VPN tunnels and identify these VPN issues that CDO detects:

  • Missing peer IP address. 
  • IKEv1 or IKEv2 keys are invalid, missing, or mismatched.
  • Incomplete or misconfigured access lists defined for a given tunnel.
  1. In the CDO Portal, click the VPN tab.
  2. If you have reported Tunnel Issues, check Detected Issues. 


  1. In the VPN Tunnels table, select a VPN tunnel marked as having an issue. In the details pane, in the Peers area, you will see what that issue is. Here is an example of one VPN peer missing its other VPN peer:


  1. Click View Peers to see a diagram of the VPN connections and click the connection that corresponds to your error. 
  2. Double-click a spoke to view warnings and information about that site-to-site VPN configuration:
  • Tunnel Details: Provides the name of the tunnel and when it was last active. You can click the Check Connectivity button to check the latest connectivity between the spoke and the hub. It also shows the access control rule that connects both sides of the tunnel. 
  • NAT Information: Shows the NAT rules required for the tunnel.
  • Key Exchange: Shows the IKEv1 and IKEv2 transform sets, IPsec proposals for the tunnel, as well as to which interfaces the tunnel is connected.