11 years ago
VPN monitoring
We monitor Watchguard and Cisco firewalls. One of the things that we need to know is if a VPN drops. There are lots of graphs for VPN tunnel traffic etc, however there is no out of the box, easy wa...
I monitor a lot of VPN tunnels as well. I find there is not a lot of point in monitoring a VPN router/firewall as it may be able to tell you if its up, but not the quality of the link (e.g packet loss). You really need to ping something at the other end to tell if the VPN is up and reliable. There are a couple of options
1: get a Cisco device and configure IP SLAs to ping the other end. SLAs give all sorts of information on the quality of the link (jitter, latency etc). LM discovers and monitors SLAs.
2: again ping something at the other end of the VPN (say a printer) and alert when this is down.
But I don't like this for the following reasons: it implies the printer is down when in fact its the VPN. It is also a waste of monitor licenses. If I want LM to monitor 1 firewall that terminates 20 VPNs I have to pay for 20 licenses. And if you group your monitors according you end up having your network people monitoring printers. The logic should be that the ability to ping the printer and get the RTT, packet loss is not a function of the printer, but of the VPN, and the VPN is a function of the router/firewall So what LogicMonitor needs to be able to do (and something that Intellipool Keseya does already) is on the firewall/router object provide the ability to list some alternative IP addresses. It would then be the job of the collector to ping each of those IPs, and if they fail or drop packets, put that firewall/router device into alert.