2 years ago
VPN Tunnel Monitoring
We have several Cisco IPSec Aggregate Tunnels that we are monitoring on our ASA. The problem is, many of them have a 30 minute idle timeout. I don't really need (or want) an alert if a VPN tunnel...
Ok, several changes to get this to work. First to the collection script:
We added the following lines to the collection script. Ours on the left, repo version on the right. It looks in 1.3.6.1.4.1.9.9.147.1.2.1.1.1.2.7 to see if this is a secondary unit. In our case, this is why the tunnels are "down", because they are on a secondary unit. If this isn't the case for you, you'll have to find a different way of differentiating between them.
Then we added a datapoint to contain that isStandby output:
Then we modified the TunnelActiveTime_Seconds datapoint (ours on left, repo version on right):
The end result is that 1000000000 is added to the TunnelActiveTime_Seconds if the unit is a standby unit. This means that the uptime of the tunnel looks like 31 years. We understand that the tunnel hasn't been up for 31 years, besides we only pay attention to the standby unit when it alerts, which it doesn't now because the uptime is nice and high.