3 Replies Latest reply on Oct 23, 2015 3:07 PM by thyvarin

    System status - VPN monitoring

    seebvey

      Hi everybody,

       

      Yesterday I installed an NGFW cluster with about 35 VPN tunnels.

      Each tunnel works and data are sent through each of them.

      However, only 5 of these tunnels are green in the system status. All other tunnel red or yellow.

       

      Why is that? Can i refresh or retrigger the check?

       

      regards

      Sebastian

        • 1. Re: System status - VPN monitoring
          thyvarin

          Hi,

           

          Does this KB article match your case?

          https://kc.mcafee.com/agent/index?page=content&id=KB82901&actp=null&viewlocale=e n_US&showDraft=false&platinum_status=false&locale=en_US

           

          You could try restarting the log server to see if that clears the previous failed status.

           

          BR,

          Tero

          • 2. Re: System status - VPN monitoring
            seebvey

            Hi Tero,

             

            yes, this article match my case exactly.

             

            I tried restarting the Log Server, but without any changes. Not really good!

            Is the system status the only point where i can see wether a vpn tunnel is on or not?

            I want to have a live view where i can see tunnel active or idle. Is that possible.

             

            regards

            Sebastian

            • 3. Re: System status - VPN monitoring
              thyvarin

              Hi Sebastian,

               

              The best and I would say only certain way to verify if VPN tunnel is up is to check if IPsec SA (pair) exists between local and remote VPN site. In SMC you can see the SAs by right-clicking the firewall element and selecting "Monitoring" and "VPN SAs". From command line you can use "vpninfo -a" and "vpninfo -e" command to see IPsec SAs. For IKE SAs use "vpninfo -i":

               

              root@ngf-325:~# vpninfo

              Usage: vpninfo [OPTION]...

               

              -H: Dump IKE peer information

              -Y: Dump mobile and dynamic peer information

              -S: Dump sessions

              -a: Dump IPsec SAs

              -e: Dump IPsec SAs

              -z: Display ongoing IKE and IPsec negotiations

              -t <tunnelID>: Dump IPsec SAs of tunnel

              -Z <transform>: Dump details of an IPsec SA

              -A: Dump Audit log

              -g: Dump global info

              -f: Dump flows

              -F <rule>: Dump flows by rule

              -r: Dump rules

              -R <rule>: Dump rule details

              -s: Dump statistics of all transforms

              -V: Display version information

              -l: Output log message buffer

              -c: Display policy manager connections

              -L <len>: Set log message buffer length in messages (also clears buffer)

              -o: Continuous log message output

              -i: Dump IKE SA list

              -C: Clustering statistics

              -m: Print the module's operating mode (FIPS / non-FIPS)

              -M: Output VPN SA monitoring status

              -v: Output vpn monitoring current status

              -P: Output TCP encapsulation connection states

              -X: Complete VPN Status

              -Q: Check configuration status

              -k: Display SPI hashing key info

              -n <level>: Set IKE debug level (0 - 15, 0 = no debug) (e.g. -n 6)

              -N: No output messages

              -d: Dump current DHCP sessions

              -K: Dump certificates

              -B <spi>: Delete IKE SAs

              -b <transform_index>: Delete IPsec SAs

              -J <in_spi> <out_spi>: Delete IPsec SA by Inbound and Outbound SPI values

              -p <ip_addr>: Delete SAs by peer

              -y <conn_id>: Delete SAs by connection

              -U <username>: Delete session and SAs by username

              -G <username> <domain>: Delete session and SAs by username@domain

              -j <session_id>: Delete SAs by session id

              -O <command> <parameters>: External crypto register/unregister/status

              -h: Display this help

               

              BR,

              Tero