After adding your network tunnels, your tunnels appear on the Umbrella Dashboard as "inactive".
Your network tunnels will only show as "active" if logging for the default Cloud-Delivered Firewall (CDFW)policy is enabled:
If logging is already enabled, run the following command on the router which the network tunnels are configured with:
show crypto ikev2 sa
Ensure that the source IP address is an internal IP address from the user's network as per RFC 1918. Check your configuration according to this guide: Network Tunnel Configuration. If the error continues, please create a ticket with the show crypto ikev2 sa command along with the CDFW logs to our Support Team for assistance.