Secure Access: Monitor Network Tunnel Groups and Tunnels
Once you set up the sites in the Catalyst SD-WAN device and attach an SD-WAN Configuration Group to the device, you can view and monitor the IPsec tunnels and Network Tunnel Groups using the Cisco Secure Access Network Tunnel Groups API.
The Catalyst SD-WAN device establishes IPsec tunnels for the configured sites. SASE Management connects the branch networks to the organization's private destinations and to the Internet securely.
For information about generating your access token for the Secure Access API, see SASE Authorization.
Get Details for a Network Tunnel Group
Get the status of the network tunnels in a Network Tunnel Group. View the statistics and details about the Secure Access hubs.
GET https://api.sse.cisco.com/deployments/v2/networktunnelgroups/{Network Tunnel Group ID}
Prerequisites
- A Cisco Secure Access API key with the
deploymentskey scope. - Network Tunnel Group ID: Get the ID of the Network Tunnel Group. Navigate to SD-WAN Manager and locate the list of Network Tunnel Groups. Choose a Network Tunnel Group from the list of Network Tunnel Groups. Get the unique identifier (ID) for the Network Tunnel Group created in the SD-WAN Manager.
- YourAccessToken: Set your Bearer token for Secure Access in the HTTP Authorization header.
Request
- Set your access token in the HTTP Authorization header of the Secure Access API request.
- Provide the ID of the network tunnel group in the API path.
curl -L --location-trusted --request GET \
--url 'https://api.sse.cisco.com/deployments/v2/networktunnelgroups/{Network Tunnel Group ID}' \
-H 'Authorization: Bearer {YourAccessToken}' \
-H 'Content-Type: application/json'
Response
{
"id": 638485663,
"organizationId": 8174213,
"name": "C8K-B753B89F-CA97-6B05-E0A5-353D79498E75",
"region": "us-west-2",
"deviceType": "Catalyst SDWAN",
"routing": {
"type": "nat",
"data": {}
},
"resourceAttributes": {
"tunnelType": "sdwan",
"vpnIdEnabled": true,
"sgtEnabled": true
},
"status": "connected",
"hubs": [
{
"id": 638485661,
"authId": "C8K-B753B89F-CA97-6B05-E0A5-353D79498E75-32heNzia8SEesFwaUOF@8174213-638485661-sse.cisco.com",
"isPrimary": false,
"datacenter": {
"name": "sse-usw-2-1-0",
"ip": "52.35.201.56",
"ipv6": "2603:5004:13:20c::110:1"
},
"status": {
"status": "UP",
"time": "2025-12-09T20:39:15Z"
},
"tunnelsCount": 1,
"createdAt": "2024-10-11T05:46:16Z",
"modifiedAt": "2025-05-21T03:36:14Z"
},
{
"id": 638485662,
"authId": "C8K-B753B89F-CA97-6B05-E0A5-353D79498E75-32heNzia8SEesFwaUOF@8174213-638485662-sse.cisco.com",
"isPrimary": true,
"datacenter": {
"name": "sse-usw-2-1-1",
"ip": "44.228.138.150",
"ipv6": "2603:5004:13:20e::110:1"
},
"status": {
"status": "UP",
"time": "2025-12-09T20:39:27Z"
},
"tunnelsCount": 1,
"createdAt": "2024-10-11T05:46:16Z",
"modifiedAt": "2025-05-21T03:36:14Z"
}
],
"createdAt": "2024-10-11T05:46:16Z",
"modifiedAt": "2025-12-09T18:29:04Z"
}
Get Details for Tunnels in a Network Tunnel Group
Get the state and details of all network tunnels (peers) in the network tunnel group.
Prerequisites
- Network Tunnel Group ID: Get the ID of the Network Tunnel Group. Navigate to SD-WAN Manager and locate the list of Network Tunnel Groups. Choose a Network Tunnel Group from the list of Network Tunnel Groups. Get the unique identifier (ID) for the Network Tunnel Group created in the SD-WAN Manager.
- YourAccessToken: Set your Bearer token for Secure Access in the HTTP Authorization header.
Request
curl -L --location-trusted --request GET \
--url 'https://api.sse.cisco.com/deployments/v2/networktunnelgroups/{Network Tunnel Group ID}/peers' \
-H 'Authorization: Bearer {YourAccessToken}' \
-H 'Content-Type: application/json'
Response
{
"data": [
{
"time": "2025-12-09T20:42:35Z",
"status": "UP",
"dc": "sse-usw-2-1-0",
"dcName": "PORTLAND-1",
"dcDesc": "PORTLAND-1",
"ikeState": "ESTABLISHED",
"ipsecState": "INSTALLED",
"hubId": 638485661,
"peerId": 131075,
"peerIp": "50.18.177.56",
"peerPort": "4500",
"localIp": "52.35.201.56",
"localPort": "4500",
"ike": {
"age": "693",
"dhGroup": "ECP-384",
"prfAlgo": "HMAC-SHA2-256",
"encAlgo": "AES-CBC-256",
"initiatorSpi": "3960889368895068734",
"responderSpi": "9043452746943789441"
},
"ipsec": {
"age": "693",
"encAlgo": "AES-GCM-256",
"encKeySize": "32",
"spiIn": "576453027",
"spiOut": "3228171273"
},
"data": {
"bytesIn": "5764",
"bytesOut": "6348",
"dropsIn": "0",
"dropsOut": "0",
"errorsIn": "0",
"errorsOut": "0",
"packetsIn": "55",
"packetsOut": "66"
},
"routingStats": {
"clientRouteStats": {
"isClipped": false,
"stats": []
},
"cloudRouteStats": {
"isClipped": true,
"stats": [
{
"cidr": "240.0.148.2/32",
"origin": "",
"priority": 65535
},
{
"cidr": "100.122.8.3/32",
"origin": "",
"priority": 65535
}
]
}
}
}
],
"offset": 0,
"limit": 10,
"total": 1
}