topic Re: S2S VPN State & Statistics per tunnel/peer? in Firewall and Security Management

S2S VPN State & Statistics per tunnel/peer?

Timothy_Hall — Thu, 27 Jul 2023 16:19:11 GMT

Does anyone know a way to pull current statistics from a particular Site to Site VPN tunnel for troubleshooting purposes? What I'm looking for is the equivalent of the Cisco show vpn-sessiondb command like this:

This command is useful for seeing if Tx/Rx counters are incrementing to confirm two-way communication for a VPN, and verify current rekey/lifetime timers. Usually I would just run a packet capture and look for the presence of IKE/IPSEC traffic but there has to be a better way. What I've tried:

1) cpstat -f all vpn - Dumps very detailed VPN statistics but they are global and no apparent way to focus on a particular tunnel.

2) vpn tu - Just shows SA states with no statistics

3) SmartView Monitor - Tunnels...Monitor Traffic of this tunnel. Shows the live tunnel state and also allows graphing of top sources/destinations/connections including statistics but no apparent way to do it for all traffic in the tunnel. I'd imagine this raw data can be acquired by the rtm driver via the rtm monitor command on the gateway, but there is practically no documentation for how to use it.

4) I suppose Accounting could be set on the rule matching traffic to/from the tunnel, but those stats would only be updated every 10 minutes.

Any other suggestions?

Re: S2S VPN State & Statistics per tunnel/peer?

the_rock — Thu, 27 Jul 2023 16:37:45 GMT

I believe Fortinet has similar. Lets see if its possible with CP, great inquiry.

Andy

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-Tunnel/ta-p/195672

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

Re: S2S VPN State & Statistics per tunnel/peer?

the_rock — Thu, 27 Jul 2023 17:27:11 GMT

Does command like below give you anything more?

Andy

[Expert@quantum-firewall:0]# vpn tu tlist -p 4.205.75.119

(0) Site-to-Site tunnels are up:
IPsec 0
NAT-T 0

(0) Number of Active Clients:
NAT-T 0
Visitor Mode 0
SSL 0
L2TP 0
strongSwan 0

[Expert@quantum-firewall:0]#

Re: S2S VPN State & Statistics per tunnel/peer?

CheckPointerXL — Thu, 27 Jul 2023 21:35:02 GMT

vpn tu tlist start it will trigger statistic counters for every phase2

Then, You can monitor encrypted/decrypted kbytes data by vpn tu tlist

Re: S2S VPN State & Statistics per tunnel/peer?

the_rock — Thu, 27 Jul 2023 22:17:08 GMT

I dont believe thats good enough for Tim. I had that already on and did not give me anything close to what he showed from Cisco.

Andy

Re: S2S VPN State & Statistics per tunnel/peer?

Matlu — Tue, 11 Nov 2025 03:56:15 GMT

Hello, @Timothy_Hall
Is there currently a CLI command that displays the “statistics” of a VPN tunnel?
To get an idea of whether there are encrypted/decrypted packets through a particular tunnel?
Similarly, could you help me with the correct command syntax to “capture” real-time traffic from a VPN, as I have a scenario where I am unable to see traffic reaching my FW when the other end performs an ICMP test on me.
My LAN IP: 10.80.0.10
Peer LAN IP: 172.20.10.55
Traffic: ICMP
Can a FW MONITOR be applied in this scenario?
Thank you for your comments.

Re: S2S VPN State & Statistics per tunnel/peer?

Steffen_Appel — Tue, 11 Nov 2025 06:42:15 GMT

The closest I found is:

vpn tu tlist start

and then

vpn tu tlist -br