4 Replies Latest reply on Feb 26, 2018 2:22 PM by hoppingubu

    VPN Tunnel Monitoring

    harrisa94

      I am trying to monitor VPN tunnels up/down status.  Can anyone tell me the best way to do this with the Solarwinds Product?  We are trying to avoid just pinging a server on the far side of the VPN tunnel as it is a third party device and we do not particularly care if their server is up and running, only that the tunnel is up.  I already have the Universal Pollers for the Cisco ASA that tells us the number of active tunnels, current connections, and the number of sessions. 

       

      If using the cikeGlobalActiveTunnels OID is a good way to monitor active VPN's, how can I configure alerting if a critical VPN is no longer active?  The issue here is that not all of the VPN sessions are critical nor are they up all the time, so how can I differentiate the critical VPNs that should be up 24/7 from the ones that are only used periodically throughout the day?

       

      I am aware of using the IP SLA Monitor option to ping an IP on the other end as well.  I am thinking that this may be my best bet, but I wanted to pose this question to the community just to be sure.

       

      Thanks. 

        • Re: VPN Tunnel Monitoring
          havox

          We were doing something similar with a VPN that we wanted to make sure that it was up all the time.  We setup the UDP using the cikeTunRemoteValue OID (1.3.6.1.4.1.9.9.171.1.2.3.1.7) to grab the IP addresses on the far end of the tunnel.    The MIB Value Type is Raw Value and the SNMP Get Type is GET TABLE.  We only cared about a single IP so we set up alerting around that.  This required help from Solarwinds support but we managed to get it going.  See image for alert triggers.

           

          Screen Shot 2017-05-26 at 8.05.44 AM.png

           

          Not sure if this fits  your use case, but hopefully it helps a bit.

           

          -Jon

          1 of 1 people found this helpful
          • Re: VPN Tunnel Monitoring
            kboldizar

            That's a tough one being that they aren't all supposed to be up all the time. I've done this for someone in the past that worked for their situation. Perhaps you can use this idea or build off of it?

             

            One thing we did for setting up a VPN as a dependency was to monitor the public IP of the VPN endpoint and the internal private IP of that same device. We'd made everything that's behind the VPN dependent on the private IP, and the private IP dependent on the public IP. That allows you to determine whether it's an ISP issue or a VPN issue that interrupted the connection. If the public IP is still available, but not the private, then the VPN itself was having an issue. If the public IP went down, then the issue is more likely an ISP issue.

             

            Maybe not 100% relevant but still an option for VPN monitoring.

             

            -KatieB

            • Re: VPN Tunnel Monitoring
              rschroeder

              Have you tried using NPM 12.2's latest Cisco ASA VPN monitoring function?  Once you're seeing VPN tunnels in it, try to filter out the times when the tunnels are expected to be down.  Any VPN tunnels down outside of that range should be configured to send an alert.

              1 of 1 people found this helpful
              • Re: VPN Tunnel Monitoring
                hoppingubu

                NPM 12.2's ASA VPN monitoring is great! I can select my favorites, but only 3. When you have a mesh, it might be good to see if more that 3 VPNs can be monitored from the summary page.

                1 of 1 people found this helpful