VPN Monitoring
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2012 04:31 PM
Hello everyone,
This is my first post here, and I am by no means an ASA expert but Im hoping you could provide me an elegant solution for my companies needs. A large(and growing) part of our customer base is Medical customers, and as such we use encryption for HIPAA compliance. Our customers are rural and send radiology, medical records, and other medical information to larger organizations for processing and analysis. At this point, we have done it by using IPSec tunnels between ASAs and while these are more than likely sticking around for a while I need to figure out a way to be proactive in responding to these tunnels failing. The original thought was to route ICMP from our monitoring server to the far side of the tunnel, and then have it enter the tunnel to verify it is able to come up and pass traffic. I disagree with this train of thought as it is clunky, doesnt scale well and is hard to manage.
The more expensive option is to deploy small, linux-based boxes that will be marked as interesting traffic and when these nodes go down in our monitoring we will be aware without the customer calling.
The other idea is a bit more foreign to me. Im thinking there has to be a setting in the ASA, or possibly a syslog message that can be sent from these devices to alert us that Phase 1/2 is not coming up. Do you all know of such a thing?
Thanks in advance.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2012 07:07 PM
Hi Kyle,
You can use 'syslog' for this purpose. Iam not sure if free syslog servers has option to send you a email based on rules.
Two steps:
1. Based on your ASA version (show version), check the 'system log message IDs related to phase1/2 up/down.
ex- check the link : http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
2. Configure Head-end ASA with syslog server and required message IDs.
links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b83d04.shtml
hth
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2013 01:33 PM
Hi,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com
