Monitor Branch Office VPNs
On the Branch Office VPN tab of the VPN Statistics page, branch office VPN tunnels configured on your Firebox, and the statistics and informational messages for the VPN tunnels, gateways, and TLS tunnels appear. You can review the status and statistics for those tunnels, and edit, debug, or rekey the tunnels.
View Branch Office VPN Tunnel Statistics
To see statistics for your branch office VPN tunnels:
- Select System Status > VPN Statistics.
- Select the Branch Office VPN tab.
The traffic statistics for Branch Office VPN tunnels appear.
- From the drop-down list select an option:
- Show All
- Virtual Interfaces
- TLS Tunnels
The available details for the selected option appear.
- To reduce the number of items that appear in the list, in the Search text box, type the text to filter on.
You can type a partial word to find all matching virtual interfaces and gateways in the list.
- To see more information about a virtual interface or a gateway, select the interface or gateway.
The interface or gateway expands to show the tunnel statistics.
- To see more information about a tunnel, select the tunnel.
The tunnel statistics appear.
Available Branch Office VPN Statistical Details
For each of the branch office VPN tunnels and gateways, these statistics appear:
The IP address at the local end of the tunnel.
The IP address at the remote end of the tunnel.
The number of bytes and packets sent out through the tunnel.
The number of bytes and packets received through the tunnel.
The date and time the tunnel was created.
The number of days and hours or bandwidth (MB) that remain before the tunnel expires.
The security protocol used to encrypt traffic through the tunnel.
The name tunnel assigned to the tunnel.
The gateway endpoints used by this tunnel.
Number of Rekeys
The number of rekeys for the tunnel.
The IP address of the of the user computer.
For each gateway and interface, if there are problems with the configuration, a warning, error, or informational message appears. These messages can help you troubleshoot problems with your branch office VPN tunnel configuration.
Change a Branch Office VPN Tunnel Configuration
When you view the statistics for the VPN gateways or interfaces on your Firebox, you can change the configuration from the Branch Office VPN tab.
- To change the VPN configuration, adjacent to a BOVPN tunnel, click Edit.
The Branch Office VPN page appears for the selected gateway or interface with the General Settings tab selected.
- Edit the settings for the VPN tunnel.
For more information about how to edit the tunnel settings, see Configure Manual BOVPN Gateways.
Debug Branch Office VPN Tunnels
To see configuration and status information for a branch office VPN gateway and the associated branch office VPN tunnels, you can run the VPN Diagnostic Report.
To run the VPN Diagnostic Report, adjacent to a tunnel, click Debug.
For more information, see Run VPN Statistical Reports.
Rekey Branch Office VPN Tunnels
The gateway endpoints of branch office VPN tunnels must generate and exchange new keys after either a set period of time or an amount of traffic passes through the tunnel. To immediately generate new keys before they expire, you can rekey a branch office VPN tunnel to force it to expire immediately. You can rekey a single tunnel, all tunnels for a gateway, or rekey all branch office VPN tunnels for your Firebox.
To rekey a branch office VPN tunnel:
- To force a single branch office VPN tunnel to rekey, adjacent to the tunnel, click Rekey tunnel.
- To force all branch office VPN tunnels for a gateway to rekey, adjacent to the gateway, click Rekey tunnels.
- To force all branch office VPN tunnels to rekey, click Rekey All Tunnels.
For more information, see Force a Branch Office VPN Tunnel Rekey.
Review and Remove Errors
The VPN diagnostic messages that appear for a tunnel indicate a problem with the tunnel route, or the Phase 2 settings for the tunnel. Each message includes the tunnel name. If a message relates to a VPN gateway, the gateway endpoint number is also included in the message.
VPN diagnostic errors indicate the VPN failed because of a configuration or connectivity issue. A red Error message indicates a diagnostic error with a gateway or tunnel.
VPN diagnostic warnings indicate a that a VPN is down because of an abnormal condition, such as a dead peer detection (DPD) failure. An orange Warning status indicates that a gateway or tunnel has a diagnostic warning.
VPN informational messages provide status details about the tunnel or gateway. For example, if a tunnel is inactive, the Inactive status appears. If a tunnel is inactive, you can rekey the tunnel to force VPN negotiations to restart.
If an error, warning, or informational message appears for any of your gateways, interfaces, or tunnels, you can expand and review the message. You can also clear the Error and Warning messages from the display.
For more information about branch office VPN diagnostic messages, see Use VPN Diagnostic Messages.
To review and remove a message:
- To expand and review the message, click the error, warning, or Informational message.
- To remove an error or warning message, adjacent to the gateway or interface, click Clear Errors.
The message is removed and the Clear Errors option disappears.