topic Re: Identify VPN downtimes or re-establishments in General Topics

Identify VPN downtimes or re-establishments

TINTIN8 — Wed, 16 Apr 2025 23:55:57 GMT

Hi Gurus,

Is there any way to identify VPN disconnections/re-establishments looking at the log server logs?

Ex—we get logs like"Child SA exchange: Exchange failed: timeout reached," but we're not sure what the logs mean. Can we identify, looking at the logs, that the VPN tunnel went down "this" time and reconnected "this" time, etc.?

Our partners say your tunnel went down during a "time period," but we can't really check our logs and determine what happened to the VPN tunnel. Did it go down? What time did it re-establish?

Any help to clear this is highly appreciated.

Re: Identify VPN downtimes or re-establishments

the_rock — Thu, 17 Apr 2025 00:12:11 GMT

The best way I found to do this is look for "key install" in the logs.

Andy

Re: Identify VPN downtimes or re-establishments

TINTIN8 — Thu, 17 Apr 2025 00:18:49 GMT

Thanks @the_rock . However, this doesn't tell me what time the tunnel went down. I can see the Key install when the VPN gets re-established, but it still won't tell me what time it went down/disconnected, or was it in some kind of idle state.

Re: Identify VPN downtimes or re-establishments

the_rock — Thu, 17 Apr 2025 00:27:39 GMT

From my experience, whenever I would see those in the logs, it was sure sign tunnel was down or would get re-established.

I will double check in the lab tomorrow.

Andy

Re: Identify VPN downtimes or re-establishments

PhoneBoy — Thu, 17 Apr 2025 01:22:55 GMT

The only thing that generally can be found in logs is establishment (eg key install).

In R82, you can create monitoring objects that I presume will give you some indication when the VPN goes down.

Re: Identify VPN downtimes or re-establishments

TINTIN8 — Thu, 17 Apr 2025 03:35:46 GMT

thank you so much @the_rock !!!

Re: Identify VPN downtimes or re-establishments

the_rock — Thu, 17 Apr 2025 03:47:26 GMT

No problem.

Re: Identify VPN downtimes or re-establishments

Nüüül — Thu, 17 Apr 2025 06:06:32 GMT

Do you have some kind of monitoring over your firewall? there is an snmp oid for tunnel state - so you could use that.

oid 1.3.6.1.4.1.2620.500.9002 kind table

from snmp-mib (https://support.checkpoint.com/results/sk/sk90470) tunnelState OBJECT-TYPE SYNTAX INTEGER { active(3), destroy(4), idle(129), phase1(130), down(131), init(132) }

for some reason my lab-gw sends tunnelstate as non-integer values (strings), but value is the same:

Re: Identify VPN downtimes or re-establishments

G_W_Albrecht — Thu, 17 Apr 2025 11:21:04 GMT

If you have enabled Permanent Tunnels, you see Key Install only after tunnel was down or during renegotiation (controlled by the parameters you set).

Re: Identify VPN downtimes or re-establishments

the_rock — Thu, 17 Apr 2025 11:35:46 GMT

I attached short video of what @PhoneBoy was referring to, but, keep in mind, this is ONLY available if gateway is on R82.

Andy