garnier-quentin
commented
3 years ago Could you provide the full output of the plugin ?
Open gueliljko opened 3 years ago
garnier-quentin
commented
3 years ago Could you provide the full output of the plugin ?
gueliljko
commented
3 years ago hi,
Please find below the output of the command:
OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=4;;;0; Tunnel ipsec 'IKE-PARIS' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-RENNES' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-TOULOUSE' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-MARSEILLE' state: active [monitor status: off][ike phase1 state: up]
But another command exist in Palo to show IKE phase1 and Phase 2 and more information like the Established and Expiration of the tunnel , this command is show vpn ike-sa gateway "name of gateway", i try to add the output but when a paste the result in the form it's trunked, so please in attachment a sample of the result. TUNNEL.txt
garnier-quentin
commented
3 years ago Could you provide following results on ssh session
set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flowHi, Please find in attachment the result for the commands show vpn ike-sa.txt show vpn ipsec-sa.txt show vpn flow.txt
Regards
garnier-quentin
commented
3 years ago I have followed that documentation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0
From documentation, to check if phase 2 ipsec tunnel is up:
show vpn ipsec-sa
If after, we check Encryption and Decryption (encap/decap) across tunnel:
show vpn flow
If there is no phase 2 ipsec tunnel, you'll get 'state' = 'unknown'.
Anyway, i will add a option to filter tunnels.
garnier-quentin
commented
3 years ago Could you test it ?
gueliljko
commented
3 years ago Hi
Thanks for your return it's working. Regards
garnier-quentin
commented
3 years ago Thanks for the feedback!
mikedo01
commented
1 year ago Hi,
for me the results are not valid. I have configured 22 VPN connections on one Palo Alto. Of this 22 VPNs are actually 9 VPNs Up and healthy. The rest is still in rollout.
So i assumed that the output will be an Alert, because only 9 out of 22 VPNs are UP. But this is the output i get: OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=9;;;0;
Maybe this is because the command "show vpn ike-sa" shows only VPNs with state UP. To get all VPNs you can use "show vpn flow". This shows also SAs whre "mon" is "down".
Is it possible for you to fix this?
tizianosartori
commented
6 days ago Is it possible for you to fix this?
For me is the same
show vpn flow
return this response:
`
lucie-dubrunfaut
commented
6 days ago Hello :)
I've re-open this issue. Can you explain us the most most precisely your issue and if you have an idea how we can handle it?
If I understand well @mikedo01 comment, a this moment we use this command:
show vpn ike-sa which only show the VPN with state UP
and you need to see all configured VPN which can be checked with the command show vpn flow ?
tizianosartori
commented
6 days ago Thank you @lucie-dubrunfaut, i think the correct way is that all ipsec VPNs which are listed by show vpn flow should be checked.
If show vpn ike-sa gateway GATEWAYNAME gives no output it means that the IKE negotiation has failed
If show vpn ipsec-sa tunnel TUNNELNAME as output
<error>IPSec SA for tunnel TUNNELNAME not found.</error>
it means the IPSEC tunnel is down
lucie-dubrunfaut
commented
6 days ago I had take a look at the current version of the mode :
First the mode checks command => 'show vpn ike-sa'and then loop on the result. If no result had been found (there is a filter in filter-name if it had been defined) then it check two new commands (and resultats) : command => 'show vpn ipsec-sa'and then command => 'show vpn flow'
In your case you wan to trigger the command => 'show vpn flow' even if command => 'show vpn ike-sa' give result am I right?
tizianosartori
commented
6 days ago The goal is to check which IPsec VPNs are down so it seems correct to me to first list them (command => 'show vpn flow'), then understand which IKE negotiations are up and which are down (command => 'show vpn ike-sa gateway GATEWAYNAME') and finally understand which IPSEC tunnels are up and which are down (command => 'show vpn ipsec-sa tunnel TUNNELNAME')
lucie-dubrunfaut
commented
6 days ago Ok I understand, thank you for the explanation :) Do you think you can provide us some data to help us troubleshooting this issue? This may help us to be in the conditions closest to yours. Something like it had been ask here previously :
set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flowYou can anonymized what is needed to be.
tizianosartori
commented
5 days ago See the attached files show vpn flow.txt show vpn ipsec-sa.txt show vpn ike-sa.txt
tizianosartori
commented
5 days ago Just to inform you that we have changed the check method to use it on time:
/bin/sh -c '/usr/lib/centreon/plugins/centreon_paloalto_ssh.pl --mode ipsec --hostname MYIP --ssh-username=MYUSER --ssh-password=MYPWD --ssh-backend=libssh --verbose --filter-name MYTUNNELNAME --critical-ipsec-total 1:'
This match also ike-sa down
Hi,
I want to know if it's possible to have a add a new feature with the mode IPSEC, infact the plugin is working but it displays only active current tunnel withnthe phase 1 and if the tunnel is not up it doesn't trig an alert.
Do you think it's possible to put a filter on the name of the tunnel and if the tunnel is not present it will trig critical alerte.
Regards