Hello , i read a post by @Viacheslav (⚓ T3643 show vpn ipsec sa doesn't show tunnels in "down" state ), i’m still seeing this exact issue on 1.5 built a few days ago. To recreate , just setup a base ipsec with a few tunnels
set vpn ipsec site-to-site peer peer_xx_xx_101_57 authentication local-id ‘XXXXXXXXXXX’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 authentication remote-id ‘XXXXXXXXX’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 connection-type ‘initiate’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 default-esp-group ‘JVB_esp’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 ike-group ‘JVB_ike’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 local-address ‘192.168.1.100’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 remote-address ‘XXXXXXXXXXXXX’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 1 local prefix ‘192.168.3.0/24’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 1 local prefix ‘192.168.1.0/24’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 1 remote prefix ‘158.87.34.0/24’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 2 local prefix ‘192.168.1.0/24’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 2 remote prefix ‘10.0.0.0/8’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 3 local prefix ‘192.168.2.0/24’
set vpn ipsec site-to-site peer peer_xx_xx_101_57 tunnel 3 remote prefix ‘10.0.0.0/8’
Check status
vyos@vyos# run show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out
peer_xx_xx_101_57-tunnel-1 up 30m58s 168B/168B 2/2
peer_xx_xx_101_57-tunnel-2 up 39m52s 49K/52K 602/654
peer_xx_xx_101_57-tunnel-3 up 28m29s 15K/16K 129/92
Now , disable one of the tunnels on the remote side
set vpn ipsec site-to-site peer peer_xx_xx_xx_xx tunnel 3 disable
check the status again
vyos@vyos# run show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out
peer_xx_xx_101_57-tunnel-1 up 30m58s 168B/168B 2/2
peer_xx_xx_101_57-tunnel-2 up 39m52s 49K/52K 602/654
in
/etc/swanctl/swanctl.conf , i see the 3 tunnels setup
with
sudo swanctl -l -P , only 2 tunnels are now seen , 3rd is removed