fortigate_exporter icon indicating copy to clipboard operation
fortigate_exporter copied to clipboard

Published 20 hours ago verified publisher icon bluecmd

Help: Monitoring state of ipsec tunnels

Open peter-funktionIT opened this issue 3 years ago • 3 comments

Just a question, I tried to be smart and monitor the state of our IPSEC tunnels and warn if they go down. So I have this in our alertmanager: fortigate_ipsec_tunnel_up != 1

However, this triggers constantly since apparently the tunnels go down when there is not traffic going through them. I thought of writing an alert that verifies traffic in the tunnel and only alerts if the tunnel goes down and there was recent traffic.

But when verifying one tunnel that goes up and down there seems to be no traffic going through it at all, at least according to fortigate_ipsec_tunnel_receive_bytes_total and fortigate_ipsec_tunnel_transmit_bytes_total They are both at zero.

So my question boils down to: how can I properly alert for when an IPSEC tunnel goes down?

peter-funktionIT avatar Feb 15 '22 15:02 peter-funktionIT

It's a good question. Maybe you need to configure some link monitor/measurement over the tunnel?

bluecmd avatar Aug 07 '22 06:08 bluecmd

You can configure your VPN tunnels to always stay up with keepalive enable and auto-negotiate enable, see:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536

jantari avatar Aug 15 '23 15:08 jantari

Just a question, I tried to be smart and monitor the state of our IPSEC tunnels and warn if they go down. So I have this in our alertmanager: fortigate_ipsec_tunnel_up != 1

However, this triggers constantly since apparently the tunnels go down when there is not traffic going through them. I thought of writing an alert that verifies traffic in the tunnel and only alerts if the tunnel goes down and there was recent traffic.

But when verifying one tunnel that goes up and down there seems to be no traffic going through it at all, at least according to fortigate_ipsec_tunnel_receive_bytes_total and fortigate_ipsec_tunnel_transmit_bytes_total They are both at zero.

So my question boils down to: how can I properly alert for when an IPSEC tunnel goes down?

I'd also consider enabling dead-peer detection, I have hundreds of IPSEC tunnels monitored with the metric from the exporter and it's been flawless so far :)

lazyb0nes avatar Oct 19 '23 20:10 lazyb0nes