Open gueliljko opened 4 years ago
Could you provide the full output of the plugin ?
hi,
Please find below the output of the command:
OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=4;;;0; Tunnel ipsec 'IKE-PARIS' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-RENNES' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-TOULOUSE' state: active [monitor status: off][ike phase1 state: up] Tunnel ipsec 'IKE-MARSEILLE' state: active [monitor status: off][ike phase1 state: up]
But another command exist in Palo to show IKE phase1 and Phase 2 and more information like the Established and Expiration of the tunnel , this command is show vpn ike-sa gateway "name of gateway", i try to add the output but when a paste the result in the form it's trunked, so please in attachment a sample of the result. TUNNEL.txt
Could you provide following results on ssh session
set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow
Hi, Please find in attachment the result for the commands show vpn ike-sa.txt show vpn ipsec-sa.txt show vpn flow.txt
Regards
I have followed that documentation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVGCA0
From documentation, to check if phase 2 ipsec tunnel is up:
show vpn ipsec-sa
If after, we check Encryption and Decryption (encap/decap) across tunnel:
show vpn flow
If there is no phase 2 ipsec tunnel, you'll get 'state' = 'unknown'.
Anyway, i will add a option to filter tunnels.
Could you test it ?
Hi
Thanks for your return it's working. Regards
Thanks for the feedback!
Hi,
for me the results are not valid. I have configured 22 VPN connections on one Palo Alto. Of this 22 VPNs are actually 9 VPNs Up and healthy. The rest is still in rollout.
So i assumed that the output will be an Alert, because only 9 out of 22 VPNs are UP. But this is the output i get: OK: All ipsec tunnels are ok | 'tunnels.ipsec.total.count'=9;;;0;
Maybe this is because the command "show vpn ike-sa" shows only VPNs with state UP. To get all VPNs you can use "show vpn flow". This shows also SAs whre "mon" is "down".
Is it possible for you to fix this?
Is it possible for you to fix this?
For me is the same
show vpn flow
return this response:
`
Hello :)
I've re-open this issue. Can you explain us the most most precisely your issue and if you have an idea how we can handle it?
If I understand well @mikedo01 comment, a this moment we use this command:
show vpn ike-sa
which only show the VPN with state UP
and you need to see all configured VPN which can be checked with the command show vpn flow
?
Thank you @lucie-dubrunfaut, i think the correct way is that all ipsec VPNs which are listed by show vpn flow
should be checked.
If show vpn ike-sa gateway GATEWAYNAME
gives no output it means that the IKE negotiation has failed
If show vpn ipsec-sa tunnel TUNNELNAME
as output
<error>IPSec SA for tunnel TUNNELNAME not found.</error>
it means the IPSEC tunnel is down
I had take a look at the current version of the mode :
First the mode checks command => 'show vpn ike-sa'
and then loop on the result. If no result had been found (there is a filter in filter-name
if it had been defined) then it check two new commands (and resultats) : command => 'show vpn ipsec-sa'
and then command => 'show vpn flow'
In your case you wan to trigger the command => 'show vpn flow'
even if command => 'show vpn ike-sa'
give result am I right?
The goal is to check which IPsec VPNs are down so it seems correct to me to first list them (command => 'show vpn flow'
), then understand which IKE negotiations are up and which are down (command => 'show vpn ike-sa gateway GATEWAYNAME'
) and finally understand which IPSEC tunnels are up and which are down (command => 'show vpn ipsec-sa tunnel TUNNELNAME'
)
Ok I understand, thank you for the explanation :) Do you think you can provide us some data to help us troubleshooting this issue? This may help us to be in the conditions closest to yours. Something like it had been ask here previously :
set cli op-command-xml-output on
show vpn ike-sa
show vpn ipsec-sa
show vpn flow
You can anonymized what is needed to be.
See the attached files show vpn flow.txt show vpn ipsec-sa.txt show vpn ike-sa.txt
Just to inform you that we have changed the check method to use it on time:
/bin/sh -c '/usr/lib/centreon/plugins/centreon_paloalto_ssh.pl --mode ipsec --hostname MYIP --ssh-username=MYUSER --ssh-password=MYPWD --ssh-backend=libssh --verbose --filter-name MYTUNNELNAME --critical-ipsec-total 1:'
This match also ike-sa down
Hi,
I want to know if it's possible to have a add a new feature with the mode IPSEC, infact the plugin is working but it displays only active current tunnel withnthe phase 1 and if the tunnel is not up it doesn't trig an alert.
Do you think it's possible to put a filter on the name of the tunnel and if the tunnel is not present it will trig critical alerte.
Regards