If you're worried about a tunnel connection and/or see missing transactions in your reporting, you may want to monitor tunnel traffic.
There are two main metrics which can be used to monitor a tunnel's state: its "connected" status, and tunnel traffic.
A tunnel's "connected" status:
- Is determined by the existence of an IPSec phase 2 SA corresponding to that tunnel
- Does not guarantee that the peer device has a corresponding SA
- Does not guarantee that there is not some outage in path
- Does not reflect on the long-term stability of the tunnel
Tunnel traffic monitoring:
- Looks at actual traffic coming across the IPSec tunnel to determine whether the tunnel is really working
- Guarantees that the tunnel is up, that the peer device has a corresponding SA, that there is no outage in path, and that some application is working.
- Gives an "early warning" of trouble, but cannot pinpoint the cause of an issue should one arise.
A tunnel's "connected" status can be monitored in the following ways:
- Custom scripts calling the VNS3 API (Page 29 of the API documentation discusses IPsec Status: https://s3.amazonaws.com/cohesive-networks/dnld/Cohesive-Networks_VNS3-4.x-API.pdf)
- SNMP polling of a VNS3 controller (page 42 of the Adminitration Guide: https://cohesive-networks.s3.amazonaws.com/dnld/Cohesive-Networks_VNS3-4.0-Administration.pdf)
- Cohesive Networks' DataDog container (DataDog container guide: https://s3.amazonaws.com/cohesive-networks/dnld/Cohesive-Networks_VNS3-DataDog-Container-Guide.pdf)
Tunnel traffic can be monitored in the following ways:
- Copying traffic to a container to be processed by a third-party agent such as Snort, Suricata, Zeek, etc.
- Cohesive Networks' DataDog container (DataDog container guide: https://s3.amazonaws.com/cohesive-networks/dnld/Cohesive-Networks_VNS3-DataDog-Container-Guide.pdf)