Monitor Branch Office VPNs
To monitor branch office VPNs, you can view this information on the VPN Statistics page:
- Branch office VPN (BOVPN) tunnels configured on your Firebox
- Statistics and informational messages for VPN tunnels, gateways, and TLS tunnels
You can also edit, debug, or rekey the tunnels on this page.
View Branch Office VPN Tunnel Statistics
To see statistics for your branch office VPN tunnels:
- Select System Status > VPN Statistics.
- Select the Branch Office VPN tab.
The traffic statistics for Branch Office VPN tunnels appear. - From the drop-down list, select an option:
- Show All
- Virtual Interfaces
- Gateways
- TLS Tunnels
The available details for the selected option appear.
- To reduce the number of items that appear in the list, in the Search text box, type the text to filter on.
You can type a partial word to find all matching virtual interfaces and gateways in the list. - To see more information about a virtual interface or a gateway, select the interface or gateway.
The interface or gateway expands to show the tunnel statistics. - To see more information about a tunnel, select the tunnel.
The tunnel statistics appear.
Available Branch Office VPN Statistical Details
For each of the branch office VPN tunnels and gateways, these statistics appear:
Local
The IP address at the local end of the tunnel.
Remote
The IP address at the remote end of the tunnel.
Sent
The number of bytes and packets sent out through the tunnel.
Received
The number of bytes and packets received through the tunnel.
Created
The date and time the tunnel was created.
Expires In
The number of days and hours or bandwidth (MB) that remain before the tunnel expires.
Security
The security protocol used to encrypt traffic through the tunnel.
Tunnel Name
The name tunnel assigned to the tunnel.
Gateways
The gateway endpoints used by this tunnel.
Number of Rekeys
The number of rekeys for the tunnel.
Login from
The IP address of the of the user computer.
Route To
Static and dynamic BOVPN virtual interface routes.
In Fireware v12.8.1 or higher, if you add a BOVPN virtual interface to your configuration, IPv6 is enabled by default. The IPv6 link-local route fe80::/64 automatically appears in the Route To list on this page. This route enables IPv6 routing capability on the BOVPN virtual interface and does not affect tunnel functionality.
Distance
The distance value specified for each route for a BOVPN virtual interface. Routes with lower distance values have higher priority. In Fireware v12.9 or higher, Distance replaces Metric.
For each gateway and interface, if there are problems with the configuration, a warning, error, or informational message appears. These messages can help you troubleshoot problems with your branch office VPN tunnel configuration.
Change a Branch Office VPN Tunnel Configuration
When you view the statistics for the VPN gateways or interfaces on your Firebox, you can change the configuration from the Branch Office VPN tab.
- To change the VPN configuration, adjacent to a BOVPN tunnel, click Edit.
The Branch Office VPN page appears for the selected gateway or interface with the General Settings tab selected. - Edit the settings for the VPN tunnel.
For more information about how to edit the tunnel settings, go to Configure Manual BOVPN Gateways.
Debug Branch Office VPN Tunnels
To see configuration and status information for a branch office VPN gateway and the associated branch office VPN tunnels, you can run the VPN Diagnostic Report.
To run the VPN Diagnostic Report, adjacent to a tunnel, click Debug.
For more information, go to Run VPN Statistical Reports.
Rekey Branch Office VPN Tunnels
The gateway endpoints of branch office VPN tunnels must generate and exchange new keys after either a set period of time or an amount of traffic passes through the tunnel. To immediately generate new keys before they expire, you can rekey a branch office VPN tunnel to force it to expire immediately. You can rekey a single tunnel, all tunnels for a gateway, or rekey all branch office VPN tunnels for your Firebox.
To rekey a branch office VPN tunnel:
- To force a single branch office VPN tunnel to rekey, adjacent to the tunnel, click Rekey tunnel.
- To force all branch office VPN tunnels for a gateway to rekey, adjacent to the gateway, click Rekey tunnels.
- To force all branch office VPN tunnels to rekey, click Rekey All Tunnels.
For more information, go to Force a Branch Office VPN Tunnel Rekey.
Review and Remove Errors
The VPN diagnostic messages that appear for a tunnel indicate a problem with the tunnel route, or the Phase 2 settings for the tunnel. Each message includes the tunnel name. If a message relates to a VPN gateway, the gateway endpoint number is also included in the message.
Errors
VPN diagnostic errors indicate the VPN failed because of a configuration or connectivity issue. A red Error message indicates a diagnostic error with a gateway or tunnel.
Warnings
VPN diagnostic warnings indicate a that a VPN is down because of an abnormal condition, such as a dead peer detection (DPD) failure. An orange Warning status indicates that a gateway or tunnel has a diagnostic warning.
Informational
VPN informational messages provide status details about the tunnel or gateway. For example, if a tunnel is inactive, the Inactive status appears. If a tunnel is inactive, you can rekey the tunnel to force VPN negotiations to restart.
If an error, warning, or informational message appears for any of your gateways, interfaces, or tunnels, you can expand and review the message. You can also clear the Error and Warning messages from the display.
For more information about branch office VPN diagnostic messages, go to Use VPN Diagnostic Messages.
To review and remove a message:
- To expand and review the message, click the error, warning, or Informational message.
- To remove an error or warning message, adjacent to the gateway or interface, click Clear Errors.
The message is removed and the Clear Errors option disappears.