3 Replies Latest reply on Apr 28, 2010 10:35 AM by i2oadi2unnei2

    IPSEC VPN Remote Monitoring ?


      Hi all,

      I have a small dilemma and I'm looking for any help and/or suggestions: We have TestSiteA that has a tunnel to our corp site and another tunnel to TestSiteB.  Tunnel from TestSiteA to Corp seems to work fine, however tunnel from TestSiteA to TestSiteB tends to be sporadic, as in the tunnel shows its active, but unable to send traffic unless you bounce the tunnel.  I need to know when that tunnel 'hangs' by simply pinging the end device at TestSiteB from TestSiteA and if that icmp times out, I get an alert.

      Our NPM is only installed at our corp site and there is only one server sitting at TestSiteA.  Can NPM do said ping idea or do I need to install Orion NPM at TestSiteA?  A simple ping test from TestSiteA to TestSiteB to see if the tunnel hasn't hang seems like a simple thing that can be done but right now my brain is swamped and I can't think any other idea and would like to use the NPM since its the only tool I am using (other than kiwicattools and syslog).  Any idea and suggestion is welcome!

        • Re: IPSEC VPN Remote Monitoring ?

          Wow that's a tough one because you are fighting against routing. I am assuming SiteB has a site to Corp as well otherwise just a normal NPM node would work as it is ICMP.

          What if you put a loopback on SiteB and only advertise it or static it through SiteA to SiteB connection.  Then when that connection drops loopback goes bye bye.

          • Re: IPSEC VPN Remote Monitoring ?

            The only other suggestion I can think of is pretty dependent on your hardware at the sites.  If you happen to be using Cisco routers and not ASAs and you happen to be running the right version of IOS, you might be able to configure an IP SLA operation that pings site B from site A.  I've never used it, but I believe the free IP SLA Monitor tool will help you configure the operations and then export a UnDP that you can import into Orion to monitor that operation.  Again, depending on your hardware it might not be an option, but thought I'd bring it up just in case.

            • Re: IPSEC VPN Remote Monitoring ?

              Thanks for the input all.  Unfortunately I don't have control of their 'CheckPoint' firewall at TestSiteB, only Corp (ASA5540) and TestSiteA (ASA5505).  Furthermore, TestSite B won't allow us to ping any of their network gear, just their servers on their end sourcing from one server from TestSiteA...

              Well, I guess for now I'll need to talk to our developer to write a script to do periodic pings from that one server from TestSiteA to another server at TestSiteB and if it fails, it'll send an email to me to bounce the tunnel...  Bummers, NPM could do almost everything except make me a cup of coffee :)

              Thanks for all your help and anyone is welcome to comment or add suggestion in case I miss something.