Link Search Menu Expand Document

Tunnels Tab

Configuration > Networking > Tunnels > Tunnels

Use this tab to view, edit, add, or delete tunnels. Separate tables are provided for Overlay, Underlay, and Passthrough tunnels.

If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels.

Status: You can also filter by the following statuses: All, Up, or Down.

Add a Tunnel

Complete the following fields to add a tunnel to an overlay or passthrough tunnel.

Field Description
Appliance Name of the selected appliance.
Segment Name of the segment, if enabled.
Overlay Tunnel Designated overlay tunnel.
Overlay Tunnels are applied to this designated overlay.
Admin Status Indicates whether the tunnel has been set to admin Up or Down.
Status Indications are as follows:

Down – The tunnel is down. This can be because the tunnel administrative setting is down or the tunnel cannot communicate with the appliance at the other end. Possible causes are:

Lack of end-to-end connectivity / routability (test with iperf).

Intermediate firewall is dropping the packets (open the firewall).

Intermediate QoS policy (be packets are being starved. Change control packet DSCP marking).

Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).

IPSec is misconfigured: (1) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.

Down - In progress – The tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.

Down - Misconfigured – The two appliances are configured with the same System ID (see show system).

Up - Active – The tunnel is up and active. Traffic destined for this tunnel will be forwarded to the remote appliance.

Up - Active - Idle – The tunnel is up and active, but it has not had recent activity in the past five minutes, and it has slowed the rate of issuing keep-alive packets.

Up - Reduced Functionality – The tunnel is up and active, but the two endpoint appliances are running mismatched software releases that give no performance benefit.

UNKNOWN – The tunnel status is unknown. This can be because the appliance is unable to retrieve the current tunnel status. Try again later.
MTU Maximum Transmission Unit. The largest possible unit of data that can be sent on a given physical medium. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically. It overrides the MTU setting.
Uptime How long since the tunnel has been up.
Underlay Tunnels Designated underlay tunnel.
Live View Live view of the status of your selected tunnel. You can view by bandwidth, loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the scale.
Historical Charts A display of the historical charts for the selected appliance.


  1. Have you created and applied the Overlay to all the appliances on which you are expecting tunnels to be built?

    Verify this on the Apply Overlays tab.

  2. Are the appliances on which you are expecting the Overlays to be built using Release 8.0 or later?

    View the active software releases on Administration > Software > Upgrade > Software Versions.

  3. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?

    Verify this on the Business Intent Overlay tab in the WAN Links & Bonding Policy section.

  4. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?

    Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label assigned on the appliance’s Deployment page. Tunnels are built between matching Labels on all appliances participating in the overlay.

  5. Do any two (or more) appliances have the same Site Name?

    We only assign the same Site Name if we do not want those appliances to connect directly. To view the list of Site Names, navigate to the Configuration > Networking > Tunnels > Tunnels tab, and then click Sites at the top.

Use Passthrough Tunnels

You would add a passthrough tunnel under the following circumstances:

  • For internet breakout to a trusted SaaS application, like Office 365

  • For service chaining to a cloud security service, like Zscaler or Symantec

    • This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.

    • When you create the tunnel, the Service Name in the Business Intent Overlay’s Internet Traffic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.

    • To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Traffic Policies.

Back to top

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.