vpn tu tlist

Description

Shows information about VPN tunnels.

Syntax for IPv4

vpn tu [-w] tlist

{-h | -help}

[clear]

[start]

[state]

[stop]

[<Sort Options>]

Syntax for IPv6

vpn6 tu [-w] tlist

{-h | -help}

[clear]

[start]

[state]

[stop]

[<Sort Options>]

[<Output Options>]

Parameters

Parameter

Description

-w

Shows various warnings on the screen.

-h | -help

Shows the built-in usage.

clear

Clears the Tunnel List volume statistics.

start

Turns on the Tunnel List volume statistics.

state

Shows the current Tunnel List volume statistics state.

stop

Turns off the Tunnel List volume statistics.

<Sort Options>

The available sort options are:

-b

Sorts the output by total (encrypted + decrypted) bytes.
-d

Sorts the output by inbound (decrypted) bytes.
-e

Sorts the output by outbound (encrypted) bytes.
-i

Combines list rows for each CoreXL Firewall instance with accumulated traffic.

The default order is descending by total bytes.
-m

Sorts the output by MSPI values.
-n

Sorts the output by VPN peer name.
-p <IP Address>

Shows tunnels only for a VPN peer with the specified IP address.
-r

Sorts the output in reverse order.
-s

Sorts the output by SPI.
-t

Combines list rows for each VPN peer with accumulated traffic.

The default order is descending by total bytes.
-v

Verbose mode, shows a header message for each option.

If you specify more than one sort option, you can:

Separate the options with spaces:

... -<option1> -<option2> -<option3>

For example: -v -t -b -r

Write the options together:

... -<option1><option2><option3>

For example: -vtbr

<Output Options>

The available output options are (you can specify more than one output option):

-a {on | off}

Shows only accelerated tunnels ("-a on") or only non-accelerated tunnels ("-a off").
-c {ra_nat_t | ra_vm | ra_ssl | ra_l2tp | ra_strongSwan | ra_android | ra_ios}

Shows only tunnels with the corresponding type:
- ra_nat_t - NAT-T
- ra_vm - Visitor Mode
- ra_ssl - SSL
- ra_l2tp - L2TP
- ra_strongSwan - strongSwan
- ra_android - Remote Access clients on Android
- ra_ios - Remote Access clients on iOS
-w <Width of Column 1>,<Width of Column 2>,<Width of Column 3>

Configures the width of the table columns.

You must always enter 3 values. Example: -w 46,33,20
-y

Shows only the peer summary, without the list of VPN tunnels.
-z

Shows a summary for traffic handled by the IKE daemon "iked" instances.

Example for IPv4

+-----------------------------------------+-----------------------+---------------------+
| Peer: 172.16.10.1 (c05ea6c62d82122c)    | MSA: ffffc90047aa08d8 | i: 3  ref:     1    |
| Client public IP: 10.20.4.12            |                       |                     |
| Authenticated at:    Aug 1 17:22:01     |                       |                     |
| Methods: SSL Tunnel 3DES MDS            |                       |                     |
| My TS:   0.0.0.0/0                      |                       |                     |
| Peer TS: 172.16.10.1                    |                       |                     |
| User: user_1                            |                       |                     |
| MSPI:   1c00001 (i:  3, p:  -)          |                       |                     |
| Tunnel created:        Aug 1 17:22      |  SSL                  |                     |
| Tunnel expiration:     Aug 1 17:31:58   |  Connected            |                     |
+-----------------------------------------+-----------------------+---------------------+
| Peer: 10.20.3.198 - SGW4                |  MSA: ffffc90047aa0ae |i: 9   ref: --57/60  |
| Methods: ESP Tunnel AES-128 SHA1        |                       |                     |
| My TS: 10.20.5.4/31                     |                       |                     |
| Peer TS:                                |                       |                     |
| MSPI:                                   |  No outbound SPI      |                     |
| Tunnel created:                         |  IPsec                |                     |
| Tunnel expiration:                      |  Disconnected         |                     |
+-----------------------------------------+-----------------------+---------------------

(1) Site-to-Site tunnels are up:
IPSEC           1
NAT-T           0

(1) Number of Active Clients:
NAT-T           0
Visitor Mode    0
SSL             1
L2TP            0

Explanations About Output

The output of the "vpn tu tlist" command is a table with counters below it.

Each row of the table shows information for one VPN peer.

These fields can appear in the left column of the table:

Field in Left Column

Explanation

Peer: [IP ADDRESS]

IP address of the remote peer that communicates with the VPN Gateway through the VPN tunnel.

Client public IP

In a Remote Access VPN tunnel, shows the public IP address of the Remote Access client.

Authenticated at

Date and time when the VPN Gateway finished establishing the tunnel with a Remote Access VPN client.

Methods

Encryption methods configured for the VPN tunnel.

Examples:

tunnel type - SSL, ESP
encryption type - 3DES, AES-128
data integrity algorithm - MD5, SHA1

My TS

Traffic Selector - Subnets, sections of subnets, or a single IP address behind the VPN Gateway that can be destinations for traffic that passes through the VPN Tunnel.

Peer TS

Peer Traffic Selector:

In a Site to Site VPN tunnel, shows subnets, sections of subnets, or a single IP address behind the peer gateway that can be destinations for traffic that passes through the VPN tunnel.
In a Remote Access VPN tunnel, shows the IP address of a computer connected to Remote Access VPN.

User

In a Remote Access VPN tunnel, shows the username of the remote access user.

MSPI

Indicator	Value	Explanation
`Hash`	[STRING]	Unique indicator for the VPN tunnel to a Security Gateway. If the VPN peer is a Cluster, each Cluster Member has its own hash.
`i`	[INTEGER]	The number of the firewall instance on which the VPN tunnel is opened.
`p`	`-`	The tunnel is not accelerated.
`p`	[INTEGER]	The tunnel is accelerated. The number indicates the SecureXL instance that handles the tunnel.
`d`	[INTEGER]	The number of the IKE daemon "`iked`" instance that handles traffic in the VPN tunnel.

Tunnel created

If the VPN tunnel is connected, shows the date and time when the VPN tunnel was created.

If the VPN tunnel is disconnected, shows no value.

Tunnel expiration

If the VPN tunnel is connected, shows the date and time when the VPN tunnel will expire.

If the VPN tunnel is disconnected, shows no value.

These fields can appear in the middle column of the table:

Field in Middle Column	Explanation
`MSA` [HASH ID]	The unique hash ID of the Security Association.
`IPsec`	The VPN tunnel is of type IPsec.
`SSL`	The VPN tunnel is of type SSL.
`No outbound SPI`	There is no Security Parameter Index (SPI) for outbound traffic.
`Connected`	The VPN Gateway has encryption keys for the VPN tunnel.
`Disconnected`	The VPN Gateway does not have encryption keys for the VPN tunnel.
`Eclipsed` `Narrow`	When the initiator of the negotiation requests Traffic Selectors (TS) that are wider than the one the responder is willing to accept, the responder replies with a narrower range. The final TS is set to the narrowed range. If there is narrowing and the local Security Gateway is the initiator, you see the text: `* * * Eclipsed * * ` If narrowing occurred and the local Security Gateway is the responder, you see the text: ` * * Narrow * * *`

These fields can appear in the right column of the table:

Field in Right Column	Value	Explanation
`i`	[INTEGER]	The number of the firewall instance on which the VPN tunnel is opened.
`ref`	[INTEGER]	The number of connections that the firewall instance handles.
`--` [INTEGER]/[INTEGER	The tunnel is disconnected and there is a countdown until termination or re-establishment of the tunnel. The integer before the slash is the number of seconds left in the countdown backwards to 0. The integer after the slash is the total length of the countdown. Example: "`ref: -- 57/60`" means the tunnel is disconnected. There are 57 seconds left in a 60-second countdown until tunnel termination or re-establishment.

Field in Right Column

Value

Explanation

i

[INTEGER]

The number of the firewall instance on which the VPN tunnel is opened.

ref

[INTEGER]

The number of connections that the firewall instance handles.

-- [INTEGER]/[INTEGER

The tunnel is disconnected and there is a countdown until termination or re-establishment of the tunnel.

The integer before the slash is the number of seconds left in the countdown backwards to 0.

The integer after the slash is the total length of the countdown.

Example:

"ref: -- 57/60" means the tunnel is disconnected.

There are 57 seconds left in a 60-second countdown until tunnel termination or re-establishment.

These counters appear below "Site-to-Site tunnels are up":

Field	Explanation
`IPsec`	The number of Site to Site VPN tunnels of type IPsec connected to the VPN Gateway.
`NAT-T`	The number of Site to Site VPN tunnels of type NAT-Tconnected to the VPN Gateway.

These counters appear below "Number of Active Clients":

Field	Explanation
`NAT-T`	The number of Remote Access clients connected to the VPN Gateway in NAT Traversal (NAT-T) mode.
`Visitor Mode`	The number of Remote Access clients connected to the VPN Gateway in Visitor Mode.
`SSL`	The number of Remote Access clients connected to the VPN Gateway in SSL mode.
`L2TP`	The number of Remote Access clients connected to the VPN Gateway in L2TP mode.
`strongSwan`	The number of Remote Access clients connected to the VPN Gateway in strongSwan mode.