Is there a way to monitor CATO IPSec degraded status

Question

Hello,We recently enhanced our resilience on CATO side by switching from a single IPSec peering tunnel to a dual active/passive IPSec tunnel, enabling automatic failover in case of POP incident.However, monitoring via the basic API request does not return a “Degraded” status; it only returns ‘Connected’ or “Disconnected”. The API request uses the Account Snapshot one.Investigating deeper in the CATO API, it doesn't seem possible to get the “Degraded” status for IPSec connectivity.Is this a limitation of the API?Is an update to the API on CATO’s roadmap to monitor this status ?&nbsp;Looking forward to your response.Corentin

robertg · Answer

Hi Corentin,
I just checked and the degraded status is able to be queried via the accountSnapshot in my lab, I setup an IPsec site and was able to get this working.
But it is dependant on a new feature which is A/A tunnels this is currently in gradual rollout, in short when this feature is activated on your account you will have this degraded status available.
"isDegraded": true,
"degradedDetails": [
{
"reason": "IPSEC_MULTI_TUNNEL_TUNNEL_DISCONNECTED",
"argsDegradedDetail": {
"__typename": "DegradedStatusMultiTunnelArgs",
"deviceName": "secondary",
"tunnelID": "SECONDARY1",
"tunnelName": "SECONDARY1",
"lastConnectedDate": "2026-05-01T08:39:38Z"I hope this helps,
Rob

Forum Discussion

Is there a way to monitor CATO IPSec degraded status

1 Reply

Recent Discussions

Is there a way to monitor CATO IPSec degraded status

I could use some help with a Powershell script for the events feed.

Terraform: IPsec site creation with Responder-only and destination type FQDN possible?

Cato Connect Event: DevOps/API Live - May 2026

Mismatch in User Count: Cato Report vs GraphQL API Output