This article applies to ScreenOS 4.0 and higher.
The NetScreen ScreenOS provides the ability to determine the status and condition of active VPNs through the use of SNMP VPN monitoring objects and traps. By enabling the VPN monitoring feature on a Manual Key or AutoKey IKE VPN tunnel, the NetScreen device activates its SNMP VPN monitoring objects, which include data on the following:
- The total number of active VPN sessions
- The time each session started
- The Security Association (SA) elements for each session:
- ESP encryption (DES or 3DES) and authentication algorithm (MD5 or SHA-1) types
- AH algorithm type (MD5 or SHA-1) - Key exchange protocol (AutoKey IKE or Manual Key)
- Phase 1 authentication method (Pre-shared Key or certificates)
- VPN type (dialup or peer-to-peer) - Peer and local gateway IP addresses
- Peer and local gateway IDs
- Security Parameter Index (SPI) numbers
- Session status parameters:
- VPN monitoring status (up or down)
- Tunnel status (up or down)
- Phase 1 and 2 status (inactive or active)
- Phase 1 and 2 lifetime (time in seconds before re-keying; Phase 2 lifetime is also reported in remaining bytes before re-keying)
To enable your SNMP manager application to recognize the VPN monitoring MIBs, you must import the NetScreen-specific MIB extension files into the application. You can find the MIB extension files on the NetScreen documentation CD that was shipped with your NetScreen device.
With VPN monitoring enabled, the NetScreen device also pings the remote gateway through the tunnel at specified intervals (configurable in seconds) to monitor network connectivity between the two VPN gateways.
The source interface that the local NetScreen device uses to send and receive ping requests differs according to the type of device at the remote end of the tunnel and whether the local NetScreen device is operating at Layer 3 (NAT or Route mode) or Layer 2 (Transparent mode):
| If.... the local device is operating at: |
and either: the remote device is a VPN client (such as the NetScreen-Remote), then.... |
or: the remote device is another NetScreen device, then.... |
| Layer 3 | The source-interface can be any interface with an IP address and in any zone except in the MGT zone. | Regardless of what you specify as the source interface, the NetScreen device uses the outgoing interface as the source interface. |
| Layer 2 | You cannot use the VPN monitoring feature. | Regardless of what you specify as the source interface, the NetScreen device uses the outgoing interface as the source interface. |
If the source interface is in a different zone from the outgoing interface (or if it is in the same zone and intrazone blocking is enabled), you must create a policy permitting pings through the VPN tunnel. Also, a VPN tunnel bound to a tunnel interface cannot support VPN monitoring.
The VPN monitoring MIB notes whether the ping elicits a response, a running average of successful responses, the latency of the response, and the average latency over the last 30 attempts.
If the ping activity indicates that the VPN status has changed (by exceeding a user-definable threshold for the number of consecutive successful or unsuccessful ping requests), the NetScreen device triggers one of the following SNMP traps:
- Up to Down: The state of the VPN tunnel is up, but the ping request has not elicited a response after a specified consecutive number of ping requests.
- Down to Up: The state of the VPN tunnel is down, but the ping request elicits a response.
For this example, we will enable a Manual Key VPN tunnel.
To enable VPN monitoring, perform the following steps:
Open the WebUI. For more information on accessing the WebUI, select your product from the list below:
From the NetScreen options menu, click VPNs, and then click Manual Key.
From one of the existing VPNs, click Edit.
Click Advanced.
Click to select VPN Monitor.
From the Source Interface drop-down menu, select a Source Interface.
Click Return.
