Hello !

Our company have been using Nagios and Centreon for quite a while now,
everything is working as it should, but we keep struggling with the fact that we cannot really monitor our customers via VPN, we use netscreen firewalls and zyxel routers,
this moment we have it setup like this the internal IP of the VPN-modem is the master host (dependencie) and the servers/switches behind it are dependent for it.

But this is not as it should i think, now i got the following qeustions:

1. How do you users monitor systems who are behind VPN?
2. Does anyone have good SNMP VPN netscreen/zyxel checks?
we use netscreen SSG-140 as our main firewall.

Some one has an answer to this?
We are very interested.

Michiel

Hello !

Our company have been using Nagios and Centreon for quite a while now,
everything is working as it should, but we keep struggling with the fact that we cannot really monitor our customers via VPN, we use netscreen firewalls and zyxel routers,
this moment we have it setup like this the internal IP of the VPN-modem is the master host (dependencie) and the servers/switches behind it are dependent for it.

But this is not as it should i think, now i got the following qeustions:

1. How do you users monitor systems who are behind VPN?
2. Does anyone have good SNMP VPN netscreen/zyxel checks?
we use netscreen SSG-140 as our main firewall.
Like this one :
http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F1681.html;d=1 ?

Like this one :
http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F1681.html;d=1 ?

Hello,

Thanks for your reply,
This is not a good check for monitoring VPN,
it only checks if the parameters in the netscreen are good, not the actual status of the VPN. so nothing to really build a dependecie on.

Hello,

Thanks for your reply,
This is not a good check for monitoring VPN,
it only checks if the parameters in the netscreen are good, not the actual status of the VPN. so nothing to really build a dependecie on.

This following example is based on NETSCREEN-VPN-MON-MIB::nsVpnMonTunnelMonState :

Check availability of a tunnel if we are using vpnmonitor options:
#check_netscreen_vpn -H 10.1.1.23 -C securalis -n "VPN_home" -t
Displays:
OK: Tunnel UP

According to MIB NETSCREEN-VPN-MON-MIB, description of nsVpnMonTunnelMonState is :
nsVpnMonTunnelState OBJECT-TYPE

SYNTAX INTEGER {

down(0),

up(1)

}

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"The current tunnel status determined by the icmp ping if The

monitoring status is on."

::= { nsVpnMonEntry 20 }

Which more information did you want ?

It really depends what your trying to monitor and the type of client connections , VPN wise if your checking the state , number of clients connected through xauth etc then I sugest using check_snmp with the correct oid would work best ( is what I am doing) would also be benificial to get the most current relivant mib files from Juniper and add them to your nagios host

http://www.juniper.net/techpubs/software/index_mibs.html


If you are talking about monitoring dial in vpn clients you could assign what would act as a standbye monitor with it's ip assigned to the various addresses in the xauth pool , once the system recognises the client has come on line the dependant services are activated and the client is monitored.

Some considerations though ... A ) netscreens HATE active monitoring systems passing through them , the sessions are short , frequent and are often seen as a scan or attack, often sending your src and or dst ip alarm off not to mention a few other the other screening rules ( been there lol ).
Because of the headaches involved I really don't think it's worth breaking the firewall boundry or opening up holes simply to monitor a one off client. If your talking a hardware vpn and a lan of machines onthe other side then thats a whole different bag of chips and the best solution I have found so far is a Distributed system , before I went this route I was averaging around 1500 sessions just between my corperate and dev vlans ( sugested limit is 500 for total trust) and there where 6 more netscreens topass through for the other vlans now that I have swapped over to satilites , I have 1-5 sessions running from the central monitor to the satilites which don't have to cross a firewall boundry to do their job. Performance has severly picked up on the netscreens since so this would definatly be a great solution for a seccond site or to cross firewall boundries for multiple hosts.