Troubleshooting Cisco Secure Access Tunnel Groups
To ensure the most resilient deployment of Cisco Secure Access, it is essential to maintain healthy network tunnel groups. This article explains how to interpret "Warning" or "Disconnected" tunnel group states, common causes for these statuses, and how to configure proactive alerts to maintain high availability.
Understanding Tunnel Group Status
Cisco Secure Access network tunnel groups are designed with a primary and secondary hub. For full redundancy, each hub requires both a primary and secondary tunnel to be established.
- Warning Status: A tunnel group enters a "Warning" state when one or more tunnels are not established. While traffic continues to flow through the primary hub, your deployment lacks full redundancy. During an outage, all site traffic would be forced through a single path, potentially hitting bandwidth limitations (capped at 1 Gbps per tunnel).
- Disconnected Status: This indicates a more critical state where connectivity may be fully lost.
Common Causes for Tunnel Issues
If you have not intentionally left a secondary tunnel unconfigured, the following are the most common causes for connectivity issues:
- NAT Translation: Upstream devices may be translating traffic destined for UDP 4500, which disrupts IKE negotiation.
- Configuration Mismatches: IKEv2 parameters or pre-shared keys may not match between the headend and your local device.
- Incomplete Configuration: The secondary tunnel may have been planned in the dashboard but was not fully configured on the customer-side device.
How to Check Your Tunnel Status
You can view the real-time status of your tunnels in the Cisco Secure Access dashboard:
- Navigate to Connect → Network Connections → Network Tunnel Groups.
- Review the status for both Primary Hub and Secondary Hub.
For detailed guidance on interpreting these states, refer to the official documentation. For device-specific configuration guides, visit the Tunnel and Device Compatibility guide.
Proactive Monitoring with Alert Rules
We strongly recommend configuring Alert Rules to notify your team immediately if a hub goes down. You can manage these under Monitor → Management → Alert Rules.
We suggest the following baseline rules:
- "Tunnel group disconnected — all regions": Set to High severity. This triggers when both primary and secondary hubs are down.
- "Hub down — all regions": Set to Warning severity. This triggers when one hub has no active tunnels, indicating a loss of failover capacity.
Best Practices:
- Leave conditions open (no filter) to ensure all tunnel groups in your tenant are covered.
- Use a distribution list for notifications to ensure ownership persists through team changes.
- Alert Rules support webhook delivery if you prefer integration with tools like ServiceNow or PagerDuty.
For more information on setting up these alerts, see the Monitoring Documentation.
Getting Further Assistance
- Technical Troubleshooting: If you are experiencing active connectivity issues or tunnels that will not initialize, please open a case with Cisco TAC for real-time diagnostic support.
- Adoption & Best Practices: If you would like to schedule a 30-minute session to review your tunnel configuration or alert setup, please reach out to your Customer Success Manager.
- Community Support: Engage with other users and find additional resources in the Secure Access Community.
