False alert: VPN Tunnel(s) down

All VPN sites were reported as down by indeni stating they were all down for a timespan of 15 minutes each. These VPN's were not down and no reports from remote office personnel reporting any issues either.


This occured within an hour, possibly less of upgrading to

indeni-collector 6.0.20.196

indeni-ds 6.0.10.106

indeni-server 6.0.20.196

indeni-tools 1.0.1.38

Interesting! Were the vpn's that showed down reported from just one device? Was the alert headline, "VPN Tunnel(s) down?" if so, it looks like there was one of two possible rules it could have been invoked. I suspect it is the latter one because it indicates that an alert will be issued if the timespan is 15 minutes, like what you mentioned.

"If a VPN tunnel is down for at least this amount of time, an alert will be issued.",
    UIType.TIMESPAN,
    TimeSpan.fromMinutes(15))


PermanentOrMonitoredVpnTunnelIsDownRule.scala

VpnTunnelIsDownRule.scala


So the next step would be to look at the .ind script and see how the metric is being generated. Does the logic make sense or is there a special scenario that was missed? Take a look at the script and see if there is anything you can piece together. show-vpn-flow.ind





Hi Brad!


Let me ask some follow up questions:

1. Did the tunnels go down and stay down, or did they go down, and then the alert resolved?

2. Did it repeat?

3. What kind of tunnels do you have? (permanent, non-permanent, star topology or mesh)

4. Was the issue only for one gateway or all gateways monitored?

5. Is this issue still happening now?