cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Fix Your VPN Tunnel Vision

Level 12

Virtual Private Networks (VPNs) allow secure connections through the open internet. With VPN authentication, encryption, availability, and speed, end-users can work from anywhere as if they were sitting within a millisecond’s ping from the server room. Remote branch offices are connected, cloud resources are securely available, and all is well. That is, if the VPN tunnel works as it should.

Colleagues not talking to each other? Could be a grudge, could be trouble joining the call because “that VPN tunneling thingy keeps timing out.” No traffic from the remote office? Could be just lunch break, could be that the site-to-site VPN tunnel is down. What if it really is the network this time?

Setting up a trusted tunnel between two endpoints is a multi-step process—this also means that troubleshooting requires knowledge of its complexity. See these handy VPN tunnel troubleshooting flowcharts for LAN-to-LAN and Remote Access VPNs for examples of a systematic approach to figuring out why the remote connection is flunking out.

In short, you need to:

  • Send packets that are recognized as initiating a VPN connection attempt.
  • “Phase 1” establishes a secure communication channel by generating a shared secret key to encrypt further communications. Troubleshooting this phase often deals with IP addressing, encryption config, or pre-shared keys.
  • Following the working secure channel, in “Phase 2,” you establish IPSec security associations and negotiate information needed for the IPSec tunnel—connection type, authentication method, and access lists—resulting in a crypto map.
  • On we go to the data transfer:  encrypted, authenticated, and secure.

When the VPN connection fails and it’s troubleshooting time, you want visibility into your VPN environment. We’ve come up with Network Insight for Cisco® ASA to help you with just that. One of the most popular security devices on the market meets the worldwide leader in network management software. Sounds promising, right?

In SolarWinds® Network Performance Monitor 12.2, your monitored ASA devices now show additional information beyond SMNP statistics.

Site-to-Site VPN shows you whether the tunnel is up, down, or inactive. See traffic ingress and egress, duration of the VPN tunnel uptime, encryption, and hashing info. If the tunnel is down, information about the last phase completed successfully is available. Search, filter, and favorite tunnels to quickly access them in the Node Details view. You can also select specific errors from Phase 1 or Phase 2 to be ignored.

05_site2site.png

The Remote Access VPN subview presents a list of remote access tunnels, with the username and tunnel duration details, as well as the amount of data downloaded and uploaded. For failed connections, you’ll see the time and reason why the connection was ended, IP address, and client used. As always, you can use tools to search and filter the sessions.

06_remote.png

Several predefined reports and alerts are available to keep your finger on the VPN’s pulse. Tunnel down? You’ll know first. Reaching a threshold? Won’t catch you by surprise. And of course, you can customize your own advanced reports and alerts.

You can learn more about Network Insight for Cisco ASA or try it for yourself in the fully featured 30-day trial.

22 Comments
Level 10

Do these views exist for devices OTHER than the CISCO stuff?

We have Fortinet gear and this data would be amazingly valuable for us

Level 11

yeah.. could use this feature for other security devices like Palo Alto, Fortigate, F5, etc.,

Level 7

will be pushing this for our remote sites.

This is a sweet value-add for just keeping a support contract up to date.  Being able to have all the ASA Insight benefits "for free" by just upgrading to NPM 12.2 is a no-brainer.  I only have 80 ASA's, but I've already improved their security and performance through the Net Insight visibility provided by the new version of Network Performance Monitor.

MVP
MVP

Great stuff. I'm going to have to dig into the OIDs on my devices and see how much of this I can duplicate.

Hate to play devil's advocate, but this set of features does not work for every model of ASA. I'm working closely with support and Chris to get it sorted, but just an FYI in case you're running the 5512-X, 5516-X, or ASASM.

Sadness!

Somehow we managed to inadvertently skip those models, and Net Insight for ASA's is working on all our models:

  • 5555-X
  • 5545-X
  • 5525-X
  • 5520
  • 5506-X
  • 5505

I have a 5512-X on the shelf that got pulled back in from a site that was retired; I doubt I'll deploy it anywhere else, given the price point and the functionality of the 5506-X.

It's just too bad that the 5506-X can't do proper VLANs and POE like the 5505 could.  And that it's 50% more expensive than the 5505.  Cisco really dropped the ball there!

Level 9

I'm actually having issues with tunnels reporting inactive, or platform health, showing incorrect temp/power, etc. In the documentation, 8.2 is the minimum for functionality, and im definitely above that. i did notice on anything above 9.3, asa insight pollers report correctly. What is the true minimum IOS version?

Interesting observation, but I've got an ASA on 9.4 and another on 9.6 and they both have issues with site-to-site data.

Level 14

I understand this post is about Site-to-Site issues, but I'm also struggling with Remote VPN sessions. I have double and triple entries.

D

I am working very closely with support, development, and the product managers to get this solved. There are a handful of open issues for ASA Insight at the moment, I am optimistic that we will have them solved soon

Level 14

With the few "regulars" I saw on this thread, I had no doubt one of you was working with dev. And as proud as SolarWinds is (rightfully so) with the NetworkInsight, I ran on the assumption they were working on it quite diligently.

Many thanks for the information and confirmation.

D

Level 11

Happen to find this while searching for an answer to why I have a site-to-site vpn showing down in SolarWinds, but the tunnel is actually up and operational. I have other tunnels that are showing the correct information. The ASA is running 9.8(2). I am going to upgrade to 9.9(2) since Cisco made some changes.

Keep your eyes peeled for NPM 12.3 Lots of bugfixes coming!

Level 7

Can you let me know if you resolved VPN issue as we have same problem and 12.2 hotfix 3 failed to resolve issue.

The standby VPN showing down but snmpwalker confirming VPN is up we have a case open with support.

What model ASA are you running? The 12.3 RC fixed all the site-to-site polling issues for my 5512-X, 5508-X, and 5516-X's

Level 7

I have ASA 5515-x and 5555-x firewalls.

Glad to here the 12.3 RC has resolved ! 

We are waiting for G.A release but no dates as yet

Soon!

Level 7

Just to let you know upgrade to 12.3 did resolve vpn issue.

However the syslogging stopped working :0((

I would recommend opening a support case for the syslogging issue, there may be a quick fix that they can help you with

Level 8

Hello everyone, I was just curious what adding CLI credentials would add to benefit the monitoring of VPN tunnels?  Not sure if I like the idea of adding CLI credentials and wondering what the benefits of doing so are.  Thanks in advance.

Level 11

I am in total agreement on this. There is an enhancement request here

Vote on it if you haven't already.