4 Replies Latest reply on Feb 26, 2018 2:22 PM by hoppingubu

VPN Tunnel Monitoring

harrisa94 Oct 27, 2016 1:34 PM

I am trying to monitor VPN tunnels up/down status. Can anyone tell me the best way to do this with the Solarwinds Product? We are trying to avoid just pinging a server on the far side of the VPN tunnel as it is a third party device and we do not particularly care if their server is up and running, only that the tunnel is up. I already have the Universal Pollers for the Cisco ASA that tells us the number of active tunnels, current connections, and the number of sessions.

If using the cikeGlobalActiveTunnels OID is a good way to monitor active VPN's, how can I configure alerting if a critical VPN is no longer active? The issue here is that not all of the VPN sessions are critical nor are they up all the time, so how can I differentiate the critical VPNs that should be up 24/7 from the ones that are only used periodically throughout the day?

I am aware of using the IP SLA Monitor option to ping an IP on the other end as well. I am thinking that this may be my best bet, but I wanted to pose this question to the community just to be sure.

Thanks.

Re: VPN Tunnel Monitoring

havox May 26, 2017 8:08 AM (in response to harrisa94)

We were doing something similar with a VPN that we wanted to make sure that it was up all the time. We setup the UDP using the cikeTunRemoteValue OID (1.3.6.1.4.1.9.9.171.1.2.3.1.7) to grab the IP addresses on the far end of the tunnel. The MIB Value Type is Raw Value and the SNMP Get Type is GET TABLE. We only cared about a single IP so we set up alerting around that. This required help from Solarwinds support but we managed to get it going. See image for alert triggers.

Not sure if this fits your use case, but hopefully it helps a bit.

-Jon
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
Re: VPN Tunnel Monitoring

kboldizar Jan 29, 2018 3:05 PM (in response to harrisa94)

That's a tough one being that they aren't all supposed to be up all the time. I've done this for someone in the past that worked for their situation. Perhaps you can use this idea or build off of it?

One thing we did for setting up a VPN as a dependency was to monitor the public IP of the VPN endpoint and the internal private IP of that same device. We'd made everything that's behind the VPN dependent on the private IP, and the private IP dependent on the public IP. That allows you to determine whether it's an ISP issue or a VPN issue that interrupted the connection. If the public IP is still available, but not the private, then the VPN itself was having an issue. If the public IP went down, then the issue is more likely an ISP issue.

Maybe not 100% relevant but still an option for VPN monitoring.

-KatieB
Like Show 0 Likes(0)

Actions
Re: VPN Tunnel Monitoring

rschroeder Jan 29, 2018 3:19 PM (in response to harrisa94)

Have you tried using NPM 12.2's latest Cisco ASA VPN monitoring function? Once you're seeing VPN tunnels in it, try to filter out the times when the tunnels are expected to be down. Any VPN tunnels down outside of that range should be configured to send an alert.
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
- Re: VPN Tunnel Monitoring
  
  havox Feb 26, 2018 8:50 AM (in response to rschroeder)
  
  We just upgraded to 12.2 and the new function works very well. Thanks!
  
  Like Show 1 Likes(1)
  
  Actions
Re: VPN Tunnel Monitoring

hoppingubu Feb 26, 2018 2:22 PM (in response to harrisa94)

NPM 12.2's ASA VPN monitoring is great! I can select my favorites, but only 3. When you have a mesh, it might be good to see if more that 3 VPNs can be monitored from the summary page.
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions

Go to original post