Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

S2S VPN history.

Hello, Mates.

Is there any way to see the "summary" of the status of a VPN?

My intention is to know if a S2S VPN that we have against a third party is down or rebooted maybe 12 hours ago.

I am looking for options in the SmartView Monitor, but I can't find an appropriate option.

Any ideas that can help me please?

Cheers. 🙂

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

The only thing we log is when the tunnel "comes up" (key install).
The tunnel never really goes "down" unless the remote end stops responding (which should be logged).

In R82, I believe we plan to have some enhanced VPN monitoring features.

0 Kudos
Matlu
Advisor

Uhm,

I have a S2S VPN, which 12 hours ago, lost connection between both sides of the VPN.

So, we want to "see" if in that time range, the VPN was logged as "down" in Check Point.

 

I have made some filters in the SmartConsole, "calling" only the VPN community under discussion, and filtering the "action" field with a "Key Install".

And this is the result I get.

Exactly what does the "Key Install" mean?

Is it the moment when Check Point "detects" that a VPN is being set up?

VPN2.pngVPN1.png

Is there any option that you think can help me?

Cheers. 🙂

0 Kudos
PhoneBoy
Admin
Admin

A VPN connection requires symmetric encryption keys to be generated every so often with the various IPsec timers determining how often this is done.
Likewise, the remote end might request termination and issue a "delete IKE SA request."
These are logged as "Key Install" events as they affect the encryption keys used.

If the remote VPN peer cannot be reached, you may see "peer not responding" messages in the logs.
However, this will only occur if there is active traffic on the VPN.

0 Kudos
Matlu
Advisor

Hello,

This action ""delete IKE SA request.", does not necessarily mean that the VPN TUNEL, is "down" right?

I mean, the remote peer may send a message like "delete IKE SA request.", but for us, it may be something "transparent", and we could still see the tunnel "active", at that moment?

Or is this action necessarily going to lower the tunnel?

Greetings

0 Kudos
PhoneBoy
Admin
Admin

Correct, an IKE SA being deleted does not necessarily mean the tunnel is down.
In IKEv2, it's actually done as part of the rekeying process that should happen every few hours (so called Break Before Make).

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Old Legacy SV Monitor has Tunnels on GW > VPN History > Last Day > Active Tunnels Average that should show it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gojira
Collaborator
Collaborator

A monitoring tool could help.

For example pinging a host across the VPN.

 

Other option is with SNMP :

https://support.checkpoint.com/results/sk/sk63663

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events