Who rated this post

Problem is the SA lifetimes dictate how long a tunnel is allowed to be up before being torn down to change keys, so just looking at key exchange messages does not mean an outage actually occurred. In addition most VPNs are brought up on demand when interesting traffic needs to use them, and if there is no traffic the tunnel can time out and appear "down" until some more interesting traffic arrives.

Only way I can think of to do this is via Permanent Tunnels which by default only work between Check Point gateways, but can be made to work with other vendor's firewalls by setting Dead Peer Detection (DPD) mode.  Assuming you set both "tunnel up" and "tunnel down" alerts you could measure the time between tunnel down and tunnel up alerts to determine total outage time, although it can take between 20-30 seconds to detect that a tunnel has fallen down and cannot get back up.  The default lifesign interval is 10 seconds with 3 failures causing a "tunnel down" condition, but these timers could be shortened I suppose.  Here is the coverage for Permanent Tunnels from my book: