Monitor site-to-site VPNs using Site-to-Site VPN dashboard

Choose Insights & Reports > VPN dashboards > Site-to-Site VPN to open the site to site dashboard.

The Site-to-Site VPN dashboard provides a snapshot and status of the site-to-site VPN tunnels. You can view the list of tunnels between peer devices and the status of each tunnel: Active, Inactive, or No Active Data. You can filter the data in the table according to the topology, device, and status. The dashboard shows live data and you can also configure the refresh interval.

Benefits of the dashboard

The dashboard provides these benefits:

Identify problematic VPN tunnels and troubleshoot them.
Verify connectivity between the site-to-site VPN peers devices.
Monitor the health of the VPN tunnels to provide uninterrupted VPN connectivity between sites.
Use Packet tracer to troubleshoot VPN tunnels.

Widgets of the dashboard

Tunnel Status—A table listing the tunnel status of the site-to-site VPNs , including the SASE tunnels for Umbrella, configured using the Cloud-Delivered Firewall Management Center. For more information, refer to Tunnel status widget.
Tunnel Summary—Aggregated status of the tunnels in a donut graph.
Topology—Status of tunnels summarized by topology.

Status of VPN tunnels

The different VPN tunnel statuses that you can view in the Site-to-Site dashboard are:

Inactive—A policy-based (crypto map-based) VPN tunnel is inactive if all the IPSec tunnels are down. A VTI or and SASE topology VPN tunnel is down if the tunnel encounters any configuration or connectivity issues.
Active—In the Cloud-Delivered Firewall Management Center, policy-based site-to-site VPNs are configured based on IKE policies and IPsec proposals that are assigned to VPN topologies. A policy-based VPN tunnel is in the Active state if the Cloud-Delivered Firewall Management Center identifies interesting traffic through the tunnel after the deployment. An IKE tunnel is up only if a minimum of one IPsec tunnel is up.

Route-based VPN (VTI) and SASE topology VPN tunnels do not require interesting traffic to be in the Active state. They are in the Active state if they are configured and deployed without errors.
No Active Data—Policy-based and SASE topology VPN tunnels remain in the No Active Data state until there is a traffic flow event through the tunnel for the first time. The No Active Data state also lists the policy-based and route-based VPNs that have been deployed with errors.

Important notes about tunnel statuses in Cloud-Delivered Firewall Management Center

The VPN statuses in the Cloud-Delivered Firewall Management Center are event-based. The Cloud-Delivered Firewall Management Center does not initiate status updates. Hence, there might be mismatches between the tunnel statuses in the dashboard and the Firewall Threat Defense . You can view the correct status in the CLI Details tab of the Tunnel Status widget.
When a Firewall Threat Defense switches over to a secondary Firewall Threat Defense , there is a mismatch between the status of the VPN tunnels in the Cloud-Delivered Firewall Management Center and the Firewall Threat Defense . When the device switches back to the primary device, the correct tunnel status appears.
The Cloud-Delivered Firewall Management Center does not update the tunnel status of Firewall Threat Defense devices earlier than 7.3 after the devices reboot. We recommend that you bring the tunnel down using the command vpn-sessiondb logoff index and bring it up using the packet tracer.

Limitations of the dashboard

The table shows the list of site-to-site , including SASE topology, VPNs that are deployed. It does not show the tunnels that are created and not deployed.
The table does not show the information about the backup tunnels of policy-based VPNs and backup VTIs.
For cluster deployments, the table does not show director change in real-time data. It shows only the director information that existed when the VPN was deployed. The director change reflects in the table only after the tunnel AM redeployed after the change.