Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
1
Helpful
5
Replies

Inactive vs unknown VPN tunnel status in FMC

Go to solution
Chess Norris
Level 4
Level 4

‎11-13-2025 01:03 AM

Hello,

A customer have more then 80 L2L VPN tunnels from their HQ to smaller remote offices. Primary the connections to those remote offices are via MPLS and the VPN tunnels are for backup purposes.

When looking in FMC, I can see that most of the tunnels have the status "inactive", which seams logic, but I also noticed that some of the tunnels have the status "unknown" and I'm not sure if this is because the tunnels never been up or if it's a missconfiguration issue?

It's difficult to test if the tunnel is working properly, because to test we need to shut down the MPLS interface on the router and if there is an issue with the backup VPN tunnel we will cut of the connection to this remote office.

Sa does anyone know exactly what unknown and inactive status means? VPN tunnels.png

Thanks

/Chess

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎11-13-2025 07:46 AM

Yes, if that is a backup tunnel, that is the only option to test when you get a maintenance window.

Alternatively, you can use a test device that maintains the tunnel connection at all times.

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-13-2025 01:14 AM

  • Inactive (Red or Grey/No Active Data): There are currently no active IPsec tunnels for the specified VPN configuration.

 

  • Unknown (Amber): The FMC has not yet received any tunnel establishment events or status updates from the device. This status often appears after initial deployment or when there is an issue with the FMC communicating with the managed FTD device to retrieve the status.

It depends on the version of code running; sometimes there may be bugs present, so check the version for any issues.

Also, check the command-level FTD to see if there is any traffic over those tunnels.

>show crypto ikev2 sa.
 If you'd like to check, you can also capture the packets.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to balaji.bandi

‎11-13-2025 01:26 AM

Thanks you @balaji.bandi There is no ikev2 to neither the inactive or the unknown tunnels. 

Will the status be Inactive even if no traffic ever been sent over those tunnels? If that's is the case I guess there most be some missconfiguration. All routers on the remote sites are running the same IOS versions.

/Chess

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎11-13-2025 02:23 AM 

There is no ikev2 to neither the inactive or the unknown tunnels.

So this means tunnel not active, verify the config.

seems to be misconfiguration.

All routers on the remote sites are running the same IOS versions.

check how they are communicating the destination

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to balaji.bandi

‎11-13-2025 06:21 AM

Yes, there are no tunnels active because they are only used as backups. I dont know if any or some of those tunnels ever been active, so at this moment I'm just trying to figure out why only some of them are inactive, but some are unknown. The IKE and IPSec parameters are the same on all those tunnels. It's only the peer address and PSK that are different. Even if the tunnels are not active, I suspect there must be some sort of communication between the peers, but maybe that is not enough for the FMC to determine the state?

If that's the case, I guess the only way to confirm if the tunnel is working or not, is to shutdown the MPLS interface on the routers and see if the tunnel comes up.

/Chess

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎11-13-2025 07:46 AM

Yes, if that is a backup tunnel, that is the only option to test when you get a maintenance window.

Alternatively, you can use a test device that maintains the tunnel connection at all times.

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents