Permanent/Monitored VPN tunnel(s) down-juniper-junos

error
health-checks
junos
juniper
Permanent/Monitored VPN tunnel(s) down-juniper-junos
0

#1

Permanent/Monitored VPN tunnel(s) down-juniper-junos

Vendor: juniper

OS: junos

Description:
Some VPN tunnels are set to be permanent, or monitored, to ensure they are always up. indeni will trigger an issue if such VPN tunnels are down.

Remediation Steps:
Review the cause for the tunnels being down.
|||1. Areas to to check for possible root cause:
| a. is the remote peer up or down?
| b. verify that Phase I and Phase II configuration match on both ends
| c. is policy in place to allow traffic?
| d. NAT issues
| e. encryption domain
| f. routes
| g. firewall logs.
|2. Consider enabling debugging for the detailed information. |
|3. Review this article on Juniper tech support site: How to troubleshoot a VPN tunnel that is down or not active

How does this work?
The script runs “show configuration security ike, show configuration security ipsec, show security ipsec inactive-tunnels, show security ipsec security-associations brief” to retrieve IPSec VPN related information.

Why is this important?
The IPSec VPN state can indicate whether the IPSec VPN has been correctly configured and whether the VPN is up or down.

Without Indeni how would you find this?
An administrator won’t find the VPN being down until the users report issues. “show security ipsec inactive-tunnels, show security ipsec security-associations brief” will show the VPN status.

junos-show-security-ipsec

#! META
name: junos-show-security-ipsec
description: Retrieve VPN/ipsec information
type: monitoring
monitoring_interval: 5 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall

#! COMMENTS
vpn-tunnel-state:
    why: |
        The IPSec VPN state can indicate whether the IPSec VPN has been correctly configured and whether the VPN is up or down.
    how: |
        The script runs "show configuration security ike, show configuration security ipsec, show security ipsec inactive-tunnels, show security ipsec security-associations brief" to retrieve IPSec VPN related information.
    without-indeni: |
        An administrator won't find the VPN being down until the users report issues. "show security ipsec inactive-tunnels, show security ipsec security-associations brief" will show the VPN status. 
    can-with-snmp: false 
    can-with-syslog: false 
    vendor-provided-management: |
        The command line can provide the same information

#! REMOTE::SSH
show configuration security ike
show configuration security ipsec
show security ipsec security-associations brief 

#! PARSER::AWK
#####
# We first get the IKE gateways - so we can translate gateway name to IP
#####

#gateway srx220 {
/^gateway .* \{$/ {
    ikeGatewayName = $2
    inIkeGateway = "true"
}

#    address 192.168.1.20;
/^\s+address [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3};/ {
    ipAddress = $2
    sub(/;/, "", ipAddress)

    if (inIkeGateway == "true") {
        gatewaysIP[ikeGatewayName] = ipAddress
        gatewaysMonitored[ikeGatewayName] = "false"
        gatewaysState[ikeGatewayName] = "0"
    }
}

#}
/^}$/ {
    inIkeGateway = "false"
}

######
# Parsing of ipsec, matching to IKE data.
######

#vpn ipsec-vpn-cfgr {
/vpn .* \{/ {
    inVpnIPsec = "true"
}

#vpn-monitor-options
/\s+vpn-monitor/ {
    vpnMonitorEnabled = "true"
}

#        gateway ike-gate-cfgr;
/\s+gateway \S+;/ {
    ikeGatewayRef = $2
    sub(/;/, "", ikeGatewayRef)
}

#}
/^}$/ {
    if (inVpnIPsec == "true" && vpnMonitorEnabled == "true") {
        gatewaysMonitored[ikeGatewayRef] = "true"
    }
    vpnMonitorEnabled = "false"
    inVpnIPsec = "false"
}

#####
# Parsing actual Phasee II tunnel status
#####
# <2    ESP:3des/md5    e12196b8 68188/unlim   -   root 500   128.208.90.2
# >2    ESP:3des/md5    9dfde7c2 68188/unlim   -   root 500   128.208.90.2
/(500\s+)[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ {
    peer = $(NF)
    for (gw in gatewaysIP){
         if ( gatewaysIP[gw] == peer ) {
             gatewaysState[gw] = "1" 
         }
    }  
}

END { 
    for (vpnPeer in gatewaysIP) {
        state = gatewaysState[vpnPeer]
        vpntags["name"] = "gateway " vpnPeer 
        vpntags["peerip"] = gatewaysIP[vpnPeer] 
        vpntags["always-on"] = gatewaysMonitored[vpnPeer]

        writeDoubleMetricWithLiveConfig("vpn-tunnel-state", vpntags, "gauge", 300, state, "VPN Tunnels - State", "state", "name")
    }
}


cross_vendor_permanent_tunnel_down

package com.indeni.server.rules.library

import com.indeni.ruleengine.expressions.conditions.{And, Equals}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, SelectTimeSeriesExpression, TimeSeriesExpression}
import com.indeni.ruleengine.expressions.scope.ScopeValueExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity


case class PermanentOrMonitoredVpnTunnelIsDownRule() extends PerDeviceRule with RuleHelper {

  override val metadata: RuleMetadata = RuleMetadata.builder("cross_vendor_permanent_tunnel_down", "Firewall Devices: Permanent/Monitored VPN tunnel(s) down",
    "Some VPN tunnels are set to be permanent, or monitored, to ensure they are always up. indeni will trigger an issue if such VPN tunnels are down.", AlertSeverity.ERROR).build()

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("vpn-tunnel-state").last
    val alwaysOn = ScopeValueExpression("always-on").visible().asString().noneable

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
      StatusTreeExpression(

        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("peerip", "name", "always-on"), True, Set("remote-peer-name")),

        // The case here is different compared to VpnTunnelIsDownRule, because we only take
        // the tunnels which are always on
        StatusTreeExpression(
          SelectTimeSeriesExpression[Double](context.tsDao, Set("vpn-tunnel-state"), denseOnly = false),
          And(
            Equals(actualValue, ConstantExpression(Some(0.0))),
            Equals(alwaysOn, ConstantExpression(Some("true")))
          )

          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
          scopableStringFormatExpression("${scope(\"name\")} (${scope(\"peerip\")} - ${scope(\":remote-peer-name\")})"),
          scopableStringFormatExpression("This tunnel is down even though it is set to be always up."),
          title = "VPN Tunnels Affected"
        ).asCondition()
      ).withoutInfo().asCondition()

      // Details of the alert itself
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more VPN tunnels which should remain up is now down."),
      ConditionalRemediationSteps("Review the cause for the tunnels being down.",
        ConditionalRemediationSteps.VENDOR_JUNIPER ->
          """|1. Areas to to check for possible root cause:
             | a. is the remote peer up or down?
             | b. verify that Phase I and Phase II configuration match on both ends
             | c. is policy in place to allow traffic?
             | d. NAT issues
             | e. encryption domain
             | f. routes
             | g. firewall logs.
             |2. Consider enabling debugging for the detailed information.             |
             |3. Review this article on Juniper tech support site: <a target="_blank" href="https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&actp=METADATA">How to troubleshoot a VPN tunnel that is down or not active</a>""".stripMargin
      )
    )
  }
}