Solved: Monitoring VPN tunnels

the_rock · ‎2024-02-07

Hey guys,

I know there were few posts about this before, but here is what Im looking for. I know many methods you can check the status of the tunnel itself, with tcpdump on proto 50, vpn tu options, sv monitor etc, but those are all manual methods. What Im after is automatic method that would alert a customer if there is an issue with the tunnel.

I get the options inside the community under tunnel management you can set to tunnel down and up for different actions, but I wonder if there is anything more intuitive (for the lack of better term) that can be set up.

Thanks as always for any suggestions.

Best,

Andy

the_rock · ‎2024-02-12

Hey guys,

Just to give a quick update on this. Talked to Tier 3 guy in DTAC and what I was informed is quite disappointing, to put it bluntly. So, he told me that when it comes to VPN monitoring, supposedly, it ONLY works if its CP to CP tunnel, so say if you have cp to 3rd party, which probably 99% of customers would have, you cant even configure pop-up alert to work and here comes really odd part for me. Say even if you have cp cluster to another single gateway VPN tunnel, its not enough to even reset the tunnel via vpn tu tlist del or vpn tu command, but you would need to do cpstop on BOTH cluster members.

O well, as disappointing as this is, if thats how it is, we just have to accept it. I still, personally, find it bit hard to believe that even pop-up alert is only possible if its strictly CP vpn tunnel.

Anyway, figured would share the info I was given. At least searching for log filter by "Key Install" would give log when tunnel may have went down, so its better than nothing. I sure hope VPN monitoring is totally revamped in R82...

Best,

Andy

View solution in original post

Blason_R · ‎2024-02-12

Here are the sk sk63663 you can simply use any NMS or I am using open source like check_mk and it perfectly

shows the tunnel status and if any issue occurs

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

Tal_Paz-Fridman · ‎2024-02-07

Hi Andy

I think I mentioned it before, in R82 we have a completely new VPN Monitoring Tool:

Introducing the Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.

Perhaps @itamarav can ass additional details.

the_rock · ‎2024-02-07

Thanks @Tal_Paz-Fridman , but in the meantime, since who knows how long it might be before most clients are on R82, does anything similar exist in R81.20?

Best,

Andy

JozkoMrkvicka · ‎2024-02-07

Within R82, will it be possible to send SNMP traps to more than 1 trap server in case VPN state is changed?

Kind regards,
Jozko Mrkvicka

CaseyB · ‎2024-02-07

I don't know of any ways to alert automatically from the firewall. We use an external monitoring server to monitor endpoints on the other end of the VPN and get our automatic notifications (e-mail / sms) that way.

the_rock · ‎2024-02-07

I will do some testing in the lab tomorrow to see if I can make it work with pop up alert when tunnel is reset.

Andy

Lesley · ‎2024-02-07

Hi Andy,

Let me answer your question with a question. When should Check Point consider a VPN tunnel problematic?

Some tunnels are used more then others. There are tunnels that are maybe used once a day. If no traffic flows via the tunnel the tunnel goes down.

I think the best would be , for now using a monitoring tool and ping something via the tunnel on the other side. In this way you know that the tunnel is up and there is no issue. Until they restart something at the other end of course 🙂

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-02-07

Let me answer your question. When should CP consider tunnel problematic? I would say when it goes down 🙂

See, what we are trying to accomplish is to get some sort of pop up alert or a log when tunnel is down.

Best,

Andy

Nüüül · ‎2024-02-07

Good morning,

I´d expect something like "active tunnel". so Tunnel UP is one thing. Checking if there is traffic (i.e. Keepalives - so even when tunnel is not in use actively) is a better bet. So - something like

"tunnel up and traffic flowing = tunnel good"
"tunnel up and no traffic (uni/bidirectional?) = tunnel problematic"
"tunnel up and traffic = tunnel fine"

Personally, I´d stick to an external monitoring, using either snmp or by checking if resources on "the other side" are available.

(might be an idea to extend GAiA API to see local tunnel sessions (Site to Site and/or Client to Site) and if there are sessions and if there is activity on tunnel? )

the_rock · ‎2024-02-08

That makes sense @Nüüül , thank you.

Best,

Andy

Henrik_Noerr1 · ‎2024-02-08

This is the way 🙂 Don't trust the firewall to give you the state. Use tests on the actual services on the other end.

the_rock · ‎2024-02-08

I agree 🙂

JozkoMrkvicka · ‎2024-02-07

In case you are using permanent tunnels (suggesting to do so), within VPN community, set the tracking to desired option. If you choose any of available Alerts, then go to the Global Properties on Domain where VPN is configured, go to the Log and Alert -> Alerts and add proper alert scripts.

In case you are using regular tunnels (suggesting to switch to Permanent), then go to the Global Properties -> Log and Alert -> select desired option for "VPN configuration & key exchange errors". If you choose any of available Alerts, then go to the Global Properties on Domain where VPN is configured, go to the Log and Alert -> Alerts and add proper alert scripts.

Another option is to create script using VPN SNMP OID (for example .1.3.6.1.4.1.2620.500.9002.1.3)

Some other ideas for scripting:

- output from "vpn tu"

- monitor VPN logs (traffic and/or .elg files)

Kind regards,
Jozko Mrkvicka

the_rock · ‎2024-02-08

Thanks @JozkoMrkvicka . I actually let TAC guy know what I had tried in the lab...so, say if I change tunnel monitoring option to log inside vpn community, then I do see the log with blade:"VPN" filter indicating key exchange, which matches with when I do tunnel reset, perfect. Now...IF I set the option to pop up alert and set rule that way, it does NOT work. I have a feeling Im missing something in global properties, but not sure which option.

Thoughts?

Best,

Andy

the_rock · ‎2024-02-08

I am pretty sure this is it, but since support site is down atm, cant look up the sk for it. If anyone has any idea what this should be, happy to try 🙂

Andy

JozkoMrkvicka · ‎2024-02-09

I never tried that "pop up" option. To be honest, I am not sure what is the goal of that one...

I used snmp trap alert script and mail alert script, which are working perfectly fine.

There is only 1 issue with snmp or mail script - you can specify only 1 IP (only 1 SNMP trap reciever / only 1 smtp mail relay IP).

Kind regards,
Jozko Mrkvicka

the_rock · ‎2024-02-09

@JozkoMrkvicka If you would be kind enough mate to provide the steps to make it work with snmp script, I would be very grateful, while I wait for TAC response.

Best,

Andy

JozkoMrkvicka · ‎2024-02-11

Very important note is that the SNMP traps are NOT sent from the gateway.

SNMP trap alerts are sent from management Main IP (Leading Interface IP) or Logserver Main IP.

Steps:

Connect with SmartDashboard to Security Management Server / Provider-1 CMA / Domain Management Server.
Go to the Policy menu - click on the Global Properties...
Expand the Log and Alerts - click on the Alerts pane.
In the Run SNMP trap alert script field, enter/paste the following:

internal_snmp_trap -c YOUR_SNMP_COMMUNITY IP_ADDRESS_OF_YOUR_SNMP_TRAP_SINK

Note: By default, YOUR_SNMP_COMMUNITY=public.

For example:

internal_snmp_trap -c public 1.1.1.1

"public" is snmp community string

1.1.1.1 is snmp trap reciever IP.

Kind regards,
Jozko Mrkvicka

the_rock · ‎2024-02-11

Thank you. Let me see if TAC guy can make it work with pop up alert, that would probably be best option in this case.

Best,

Andy

the_rock · ‎2024-02-12

Just to update quick...TAC came back saying they got it working with pop up alert, so I will update once I do remote sessionto see if we can get it working in my lab as well.

Best,

Andy

AlekzNet · ‎2025-01-16

Just in case, AFAIK, only permanent tunnels can be SNMP monitored.

the_rock · ‎2025-01-16

I believe thats the case, yes.

the_rock · ‎2024-02-12

Hey guys,

Just to give a quick update on this. Talked to Tier 3 guy in DTAC and what I was informed is quite disappointing, to put it bluntly. So, he told me that when it comes to VPN monitoring, supposedly, it ONLY works if its CP to CP tunnel, so say if you have cp to 3rd party, which probably 99% of customers would have, you cant even configure pop-up alert to work and here comes really odd part for me. Say even if you have cp cluster to another single gateway VPN tunnel, its not enough to even reset the tunnel via vpn tu tlist del or vpn tu command, but you would need to do cpstop on BOTH cluster members.

O well, as disappointing as this is, if thats how it is, we just have to accept it. I still, personally, find it bit hard to believe that even pop-up alert is only possible if its strictly CP vpn tunnel.

Anyway, figured would share the info I was given. At least searching for log filter by "Key Install" would give log when tunnel may have went down, so its better than nothing. I sure hope VPN monitoring is totally revamped in R82...

Best,

Andy

Blason_R · ‎2024-02-12

nah - Did you try monitoring through SNMP? I am monitoring my tunnels through SNMP and with particular OIDs it does given you status about P1 or P2 failures

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2024-02-12

Not yet, but though I did mention it to TAC, it was not tested. I will try in the lab what @JozkoMrkvicka provided, unless you have something more simple, happy to try 🙂

Best,

Andy

Blason_R · ‎2024-02-12

Here are the sk sk63663 you can simply use any NMS or I am using open source like check_mk and it perfectly

shows the tunnel status and if any issue occurs

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Blason_R · ‎2024-02-12

Forgot to mention - Let me know if any help is required setting check_mk and I am happy to help.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

the_rock · ‎2024-02-12

Thanks brother.

Best,

Andy

the_rock · ‎2024-02-12

Thanks! So are you saying you can put that snmp oid into the tool check_mk and it shows the status? If so, thats super easy, will try it Tuesday.

Best,

Andy

Blason_R · ‎2024-02-12

Well you don't even need to add those OIDs or any other OIDs

Just Install check_mk
enable SNMP on firewalls
Add host in check_mk and it automatically detect the Tunnels since it has those scripts enabled.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Are you a member of CheckMates?

Monitoring VPN tunnels

Monitoring VPN tunnels