Monitor Branch Office VPNs

To monitor branch office VPNs, you can view this information on the VPN Statistics page:

Branch office VPN (BOVPN) tunnels configured on your Firebox
Statistics and informational messages for VPN tunnels, gateways, and TLS tunnels

You can also edit, debug, or rekey the tunnels on this page.

View Branch Office VPN Tunnel Statistics

To see statistics for your branch office VPN tunnels:

Select System Status > VPN Statistics.
Select the Branch Office VPN tab.
The traffic statistics for Branch Office VPN tunnels appear.
From the drop-down list, select an option:
- Show All
- Virtual Interfaces
- Gateways
- TLS Tunnels
The available details for the selected option appear.
To reduce the number of items that appear in the list, in the Search text box, type the text to filter on.
You can type a partial word to find all matching virtual interfaces and gateways in the list.
To see more information about a virtual interface or a gateway, select the interface or gateway.
The interface or gateway expands to show the tunnel statistics.
To see more information about a tunnel, select the tunnel.
The tunnel statistics appear.

Available Branch Office VPN Statistical Details

For each of the branch office VPN tunnels and gateways, these statistics appear:

Local

The IP address at the local end of the tunnel.

Remote

The IP address at the remote end of the tunnel.

Sent

The number of bytes and packets sent out through the tunnel.

Received

The number of bytes and packets received through the tunnel.

Created

The date and time the tunnel was created.

Expires In

The number of days and hours or bandwidth (MB) that remain before the tunnel expires.

Security

The security protocol used to encrypt traffic through the tunnel.

Tunnel Name

The name tunnel assigned to the tunnel.

Gateways

The gateway endpoints used by this tunnel.

Number of Rekeys

The number of rekeys for the tunnel.

The IP address of the of the user computer.

Route To

Static and dynamic BOVPN virtual interface routes.

In Fireware v12.8.1 or higher, if you add a BOVPN virtual interface to your configuration, IPv6 is enabled by default. The IPv6 link-local route fe80::/64 automatically appears in the Route To list on this page. This route enables IPv6 routing capability on the BOVPN virtual interface and does not affect tunnel functionality.

Distance

The distance value specified for each route for a BOVPN virtual interface. Routes with lower distance values have higher priority. In Fireware v12.9 or higher, Distance replaces Metric.

For each gateway and interface, if there are problems with the configuration, a warning, error, or informational message appears. These messages can help you troubleshoot problems with your branch office VPN tunnel configuration.

Change a Branch Office VPN Tunnel Configuration

When you view the statistics for the VPN gateways or interfaces on your Firebox, you can change the configuration from the Branch Office VPN tab.

To change the VPN configuration, adjacent to a BOVPN tunnel, click Edit.
The Branch Office VPN page appears for the selected gateway or interface with the General Settings tab selected.
Edit the settings for the VPN tunnel.

For more information about how to edit the tunnel settings, go to Configure Manual BOVPN Gateways.

Debug Branch Office VPN Tunnels

To see configuration and status information for a branch office VPN gateway and the associated branch office VPN tunnels, you can run the VPN Diagnostic Report.

To run the VPN Diagnostic Report, adjacent to a tunnel, click Debug.

For more information, go to Run VPN Statistical Reports.

Rekey Branch Office VPN Tunnels

The gateway endpoints of branch office VPN tunnels must generate and exchange new keys after either a set period of time or an amount of traffic passes through the tunnel. To immediately generate new keys before they expire, you can rekey a branch office VPN tunnel to force it to expire immediately. You can rekey a single tunnel, all tunnels for a gateway, or rekey all branch office VPN tunnels for your Firebox.

To rekey a branch office VPN tunnel:

To force a single branch office VPN tunnel to rekey, adjacent to the tunnel, click Rekey tunnel.
To force all branch office VPN tunnels for a gateway to rekey, adjacent to the gateway, click Rekey tunnels.
To force all branch office VPN tunnels to rekey, click Rekey All Tunnels.

For more information, go to Force a Branch Office VPN Tunnel Rekey.

Review and Remove Errors

The VPN diagnostic messages that appear for a tunnel indicate a problem with the tunnel route, or the Phase 2 settings for the tunnel. Each message includes the tunnel name. If a message relates to a VPN gateway, the gateway endpoint number is also included in the message.

Errors

VPN diagnostic errors indicate the VPN failed because of a configuration or connectivity issue. A red Error message indicates a diagnostic error with a gateway or tunnel.

Warnings

VPN diagnostic warnings indicate a that a VPN is down because of an abnormal condition, such as a dead peer detection (DPD) failure. An orange Warning status indicates that a gateway or tunnel has a diagnostic warning.

Informational

VPN informational messages provide status details about the tunnel or gateway. For example, if a tunnel is inactive, the Inactive status appears. If a tunnel is inactive, you can rekey the tunnel to force VPN negotiations to restart.

If an error, warning, or informational message appears for any of your gateways, interfaces, or tunnels, you can expand and review the message. You can also clear the Error and Warning messages from the display.

For more information about branch office VPN diagnostic messages, go to Use VPN Diagnostic Messages.

To review and remove a message:

To expand and review the message, click the error, warning, or Informational message.
To remove an error or warning message, adjacent to the gateway or interface, click Clear Errors.
The message is removed and the Clear Errors option disappears.