10 Replies Latest reply on May 7, 2015 10:05 AM by David Eckert

    VPN Down with No Up after 5 minutes rule?

    byrona

      I have a rule in LEM that alerts me when a VPN tunnel goes down and I have a 2nd rule that tells me when the VPN tunnel comes back up.  I am curious how I might create a rule to only trigger if the Down event comes in and there isn't an Up event within 5 minutes of the Down event?

       

      Any suggestions here would be much appreciated, thanks!

        • Re: VPN Down with No Up after 5 minutes rule?
          byrona

          Somebody....?

          • Re: VPN Down with No Up after 5 minutes rule?
            qle

            I thought that would be the function of the Response Window. colby explained that pretty well in another thread.

            • Re: VPN Down with No Up after 5 minutes rule?
              nicole pauls

              To follow up a little, the tricky part of this will be that it has to be two different event types to trigger the rule. Check out the other thread for the basics, but basically you'll want:

               

              VPN Down EXISTS

              VPN Up NOT EXISTS

              VPN Down.Source?=VPN Up.Source? (some way to identify a unique tunnel that has gone down if you have more than one)

              Response window - 5 minutes

               

              The "Down" and "Up" exists/not exists need to be two different events. If they aren't, what I'd do would be to create a rule that infers another event type on the Down or Up event and use that as your exists or not exists (i.e. you can only "not exists" an event type, and having your exists and not exists be the same event type doesn't make sense).

                • Re: VPN Down with No Up after 5 minutes rule?
                  byrona

                  Currently I have one rule for VPN Down and one rule for VPN Up, regardless of the specific tunnel.  If I understand this correctly I will need a unique Down & Up event for each specific tunnel, is that correct?

                    • Re: VPN Down with No Up after 5 minutes rule?
                      nicole pauls

                      You need a unique up and down event by event type, then something to tie the events together per tunnel (e.g. SourceMachine needs to match).

                       

                      Basically we'll have one rule that describes the "down but not up in 5 minutes" and that rule will "remember" (or fire for) each tunnel as long as there's a field to compare.

                       

                      If you have sample events you're looking at, I could be a little more prescriptive

                        • Re: VPN Down with No Up after 5 minutes rule?
                          byrona

                          I sent you a PM with an example log; hopefully that will help!

                            • Re: VPN Down with No Up after 5 minutes rule?
                              nicole pauls

                              So, ideally you'd be able to do this:

                               

                              (tunnel down) EXISTS

                              and

                              (tunnel up) NOT EXISTS

                              (tunnel down).SourceMachine = (tunnel up).SourceMachine

                              Response Window: 5 minutes

                               

                              That would tell you if you got a tunnel down but not a tunnel up from the same source machine (the other end of your tunnel) within 5 minutes (so - your tunnel had been down for 5 minutes). If the tunnel names were in a field, you could use that, too, but it looks like they are buried in ExtraneousInfo.

                               

                              Looking at the sample, I'm guessing both your "up" and "down" events are IPSecTrafficAudit and the thing that differs between them is the EventInfo that includes "tunnel-up" vs. "tunnel-down". Here's where it gets sticky - there's no way (that we've exposed in the console anyway) to do a NOT EXISTS rule with two of the same event type.

                               

                              Ideally you'd be able to do:

                              IPSecTrafficAudit EXISTS and IPSecTrafficAudit NOT EXISTS

                              IPSecTrafficAudit.SourceMachine = IPSecTrafficAudit.SourceMachine

                              Response Window: 5 minutes

                              ...but even looking at it, that doesn't really make sense You'd need to be able to distinguish between the two IPSecTrafficAudits which isn't possible right now.

                               

                              So, enter, the inference rule (or incident) workaround.

                               

                              Rule 1:

                              IPSecTrafficAudit.EventInfo = "*tunnel-down*"

                              (if you need to restrict to only passing on info about certain tunnels, firewalls, or other criteria you could add that here)

                               

                              Action: Infer Alert (or Incident Alert)

                              Pick an event to infer - I'd probably go with either NetworkIncident if you want to do Incident, or PointToPointTrafficAudit if you want to do infer - this way you still have similar fields to work from

                              Make sure to fill out the fields

                               

                              Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example

                              PointToPointTrafficAudit EXISTS

                              IPSecTrafficAudit NOT EXISTS

                              IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine

                              IPSecTrafficAudit.EventInfo = "*tunnel-up*"

                              PointToPointTrafficAudit.EventInfo = "*tunnel-down*"

                              Response Window: 5 minutes

                              Action: probably an email notification

                               

                              All of that means:

                              • Look for PointToPointTrafficAudit events that contain "tunnel-down" in the EventInfo
                              • Also, look for IPSecTrafficAudit events that contain "tunnel-up" in the EventInfo
                              • If you do see both of those things within 5 minutes of each other from the same SourceMachine, we're good!
                              • If you only see the PointToPointTrafficAudit but do NOT see the IPSecTrafficAudit from the same SourceMachine, then do something (probably an email notification)

                               

                              If you're concerned about the tunnel going down-up-down within 5 minutes, you might also need to specify that their detection times need to be in sequence and the up event follows the down (e.g. IPSecTrafficAudit.DetectionTime > PointToPointTrafficAudit.DetectionTime) - response windows are sliding windows, so it will look for events that came both before AND after.

                               

                              I hope that's helpful... I didn't test this in my lab, but this is what I'd build.

                                • Re: VPN Down with No Up after 5 minutes rule?
                                  byrona

                                  Ok, so I am working through this and I am confused at Rule2

                                   

                                  1     Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example

                                  2     PointToPointTrafficAudit EXISTS

                                  3     IPSecTrafficAudit NOT EXISTS

                                  4     IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine

                                  5     IPSecTrafficAudit.EventInfo = "*tunnel-up*"

                                  6     PointToPointTrafficAudit.EventInfo = "*tunnel-down*"

                                  7     Response Window: 5 minutes

                                  8     Action: probably an email notification.

                                   

                                  On line 2 & 3 I assume you mean the following:

                                   

                                  exists - not exists.png

                                  If that is the case how could like 5 be possible if we already required that it not exist?  Also, since we are using a IPSecTrafficAudit to infer a PointToPointTrafficAudit then it would be definition exist would it not?

                                   

                                  Lastly, I don't see a way to do what you are suggesting in line 4.

                                   

                                  Thanks in advance, I really appreciate your help on this!

                                   

                                  -Byron

                                    • Re: VPN Down with No Up after 5 minutes rule?
                                      nicole pauls

                                      The criteria in the "not exists" are specifying the types of IPSecTrafficAudits that the rule "remembers" - basically you need to tell the rule how to cancel your other event out, otherwise ANY IPSecTrafficAudit will cancel your rule out which isn't what you want. It's not really linear, it's more like a "grouping" of information about that IPSecTrafficAudit that refines your rule criteria.

                                       

                                      Line 4 is similar - this tells the rule engine that in order for the IPSecTrafficAudit to cancel out your other event, it needs to match on the SourceMachine. Otherwise, you'll find ANY tunnel coming back up will cancel out ANY tunnel going down, which means you won't be able to track a specific tunnel.