We have a client with a main office that hosts the AD, file and terminal servers. We have been implementing firewalls at the various satellite offices for a little over 2 years and since we now have over 20, we are reloading firewalls on a weekly / every two weeks basis. The bad thing is we are noticing this only after the client does, i.e. unable to RDP to terminal server.
What do you guys use to monitor and diagnose these issues? They are Cisco 5505-5506s for the most part if that matters.
With PRTG NETWORK MONITOR,
I use a sensor called : SNMP VPN Traffic
Presumably these are IPsec site-to-site VPNs? If you want to be pro-active and your devices support it, then enabling Dead Peer Detection should take care of your problem for the most part. The firewalls should send an periodic IPsec “ping” to each other to make sure everything’s still fine. If it’s not, they should tear down the connection and re-establish it. If they can’t, that’s the point you have a problem. Running a simple ICMP ping from a monitoring station to an IP that should be reachable in the branch office (something like the internal IP of the firewall itself, or a branch office server, something that shouldn’t just disappear off the network) should be enough to indicate a problem that DPD couldn’t work around. If you want something pretty then something that pings and feeds the response time into a dashboard. I’ve been playing around with Telegraf/InfluxDB/Grafana a bit this week and it’s only taken a few hours to configure an SNMP-based CPU usage and bandwidth graph to monitor my office firewall.
Ping the device on the other end with whatever monitoring tool you already have in place.
I’ve had that problem a while back and Dead Peer Detection didn’t fix it. So I made a stripped down linux vm, and ran continuous pings from it to all of the branch offices. This kept the tunnels up and didn’t take any noticeable bandwidth.
But like everyone else says, any network monitor can detect something like this.
I can’t query tunnel status directly so I just have a PRTG sensor ping a device on the other end of the tunnel.
Monitoring ping rather than tunnel status also lets me know when we’re experiencing latency/packet loss over the tunnel due to ISP issues.
Maybe I’m not understanding completely, but the VPNs should come up automatically when there’s network traffic trying to go to the other side. If that’s not happening, then you have some configs wrong.
PRTG has already been mentioned a few times here: take a look at the ASA VPN Sensors for traffic, users and connections.
A completely different thought would be to install a PRTG server centrally and then use “remote probes” at each of the satellite offices. The remote probes can do the monitoring for that office, and from that office (eg to check RDP from the remote office to the terminal server).
You’re thinking of a client initiated VPN. This is a constant VPN from one firewall to another that allows access between sites without a VPN client installed on the machine.
he’s talking about a site-site between 2 firewalls. This is how they work if you don’t have an SLA configured.
+1 PRTG snmp VPN traffic (available in the free 100 sensor version)
also observium can alert on this
No, a client VPN is initiated by a potentially roaming client and is only initiated in that direction. A site to site uses a static IP and each side knows what subnet is on the other side, and both can initiate the connection when they have traffic destined for it. At least that’s how Cisco does it.
Yeah but the the VPN isn’t an open/shut scenario in a site to site, unlike a client VPN. It’s intended to be open regardless of traffic. At least that’s how I understand it.
it will only stay open if there is ‘interesting’ traffic flowing through it, ie. traffic being matched to the vpn filter / ACL (however you’ve set it up)
If you want it to stay permanently up you need to configure an SLA (replace AWS with your remote site) which is a continues ping from 1 FW interface to the remote firewall. The tunnel will collapse if you dont configure this and regular traffic flow stops briefly.
Most VPNs have some kind of timeout, client or site to site. A site to site will shut down after the timeout time if there is no traffic, and should re-initiate once there is traffic again.