cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

VPN Monitoring

Jump to solution

Hi guys,

I'm with a NV5305 as a hub for more than 100 VPN's the objective is connect PC's on remote sites to an Application server located in one Data Center.

At this moment my customer is reporting that the remotes can't access to the HQ. So i would like to ask you how can I show him that the VPNs are working correctly.?

According to me if I have the VPNs in SA_MATURE means that the tunnels are up and running.

Do you have any other suggestions?

Thanks in advance,

Labels (1)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: VPN Monitoring

Jump to solution

dcorrea wrote:



Hi guys,



I'm with a NV5305 as a hub for more than 100 VPN's the objective is connect PC's on remote sites to an Application server located in one Data Center.


At this moment my customer is reporting that the remotes can't access to the HQ. So i would like to ask you how can I show him that the VPNs are working correctly.?



According to me if I have the VPNs in SA_MATURE means that the tunnels are up and running.


Not necessarily.  SA_MATURE as a result of sh crypto ike sa means that IKE (Internet Key Exchange) has succeeded and that an IPSec SA can commence.  It doesn't mean that routing, NAT, protected network mapping, or any of the other nuances of IPSec VPNs other than key exchange have succeeded or that traffic is flowing. 

sh crypto ipsec sa will show if there is an IPSEC SA, what the local and remote protected subnets are, and a count of transmitted and received bytes.  You'll have an SA in each direction with incrementing TX and RX bytes if things are working and traffic is flowing.

You've done the hard part in getting IKE up, but there may still be something with NAT configuration, split tunneling, routing, etc. that isn't right.

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: VPN Monitoring

Jump to solution

:

It appears you have opened a ticket with ADTRAN Technical Support.  When you get a chance, will you please post the resolution to this issue back to this forum post?

Please, do not hesitate to reply with any questions or additional information.  I will be happy to help in any way I can.

Levi

Anonymous
Not applicable

Re: VPN Monitoring

Jump to solution

Hi guys,

The topic with the support team was how to guaranty the support of more than 200 tunnels of IPSEC VPNs using a NV5305 instead of an NV4430, the answer from the support team was that if the NV4430 doesn't support those tunnels the NV5305 can't do it, the argument is that the NV4430 has a much better performance and also all depends of the traffic generated by the tunnels.

Hope this helps,

jayh
Honored Contributor
Honored Contributor

Re: VPN Monitoring

Jump to solution

dcorrea wrote:



Hi guys,



I'm with a NV5305 as a hub for more than 100 VPN's the objective is connect PC's on remote sites to an Application server located in one Data Center.


At this moment my customer is reporting that the remotes can't access to the HQ. So i would like to ask you how can I show him that the VPNs are working correctly.?



According to me if I have the VPNs in SA_MATURE means that the tunnels are up and running.


Not necessarily.  SA_MATURE as a result of sh crypto ike sa means that IKE (Internet Key Exchange) has succeeded and that an IPSec SA can commence.  It doesn't mean that routing, NAT, protected network mapping, or any of the other nuances of IPSec VPNs other than key exchange have succeeded or that traffic is flowing. 

sh crypto ipsec sa will show if there is an IPSEC SA, what the local and remote protected subnets are, and a count of transmitted and received bytes.  You'll have an SA in each direction with incrementing TX and RX bytes if things are working and traffic is flowing.

You've done the hard part in getting IKE up, but there may still be something with NAT configuration, split tunneling, routing, etc. that isn't right.

0 Kudos

Re: VPN Monitoring

Jump to solution

If the server can be set to respond to ping packets from LAN IPs only (to avoid potential DDoS) you could set up a ping probe from the remote PCs to ensure that the tunnel is up and functioning.  Alternatively, check the documentation for Network Monitor Probe Command Set, or use the GUI in the Netvanta, but this would not be an end-point to end-point monitoring.

Anonymous
Not applicable

Re: VPN Monitoring

Jump to solution

:

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi