Noob VPN monitoring question.

[GreyBeardGator]

Please be patient with me as I am a noobie to Linux and Nagios. I have managed to install the Nagios server and successfully monitor 60+ Windows servers for disk space, etc. Now my boss wants to be able to monitor the host to host connectivity through our network of vpns. We have 50+ vpns to other vendors with various remote vpn terminating equipment so the vpn state monitoring varies vpn to vpn. These are all Windows to Windows host vpns. I can't do a host alive check from my Nagios server because it isn't defined as a host in any of the vpns and I cannot add it to the vpns. I also cannot install anything on the remote vendor servers.

What I'd like to do is run a batch program or script on my local Windows servers that pings the vpn associated remote hosts and use passive checks from the local server to monitor the vpn state. After searching the documentation available all I can say is My Brain Hurts! Confusion reigns supreme!

Can anyone out there point me in the correct direction and help cut through the noise?

[hsmith]

What method are you using to monitor your Windows machines currently?

[GreyBeardGator]

NSClient++ utilizing check_nt. Really basic. I know I'll probably have to go to check_nrpe or NSCA.

[rkennedy]

Depending on the VPN connection is what will vary. Do they use web interfaces specifically running for the VPN protocol? Check_http will work in that case.

For a wide array of different options you can check out the exchange for program specific VPN monitoring options.

https://exchange.nagios.org/

[GreyBeardGator]

These are Windows hosts connected via site to site IPsec tunnels. They are running application specific protocols and usually not web interfaces. Some client server applications but mostly server to server communications.

[Box293]

Let me get some more information from you:

Now my boss wants to be able to monitor the host to host connectivity through our network of vpns. We have 50+ vpns to other vendors with various remote vpn terminating equipment so the vpn state monitoring varies vpn to vpn. These are all Windows to Windows host vpns. I can't do a host alive check from my Nagios server because it isn't defined as a host in any of the vpns and I cannot add it to the vpns. I also cannot install anything on the remote vendor servers.

Can you explain Windows to Windows host vpns in more detail. I assume you have a Windows PC at your end and another windows PC at the client end and the Windows Operating System keeps a VPN alive?

Does the Windows PC at your end have the ability to ping the Windows PC at the other end?

[GreyBeardGator]

These are site-to-site IPSEC VPNs where the tunnels are built from vpn concentrator to vpn concentrator (firewall to firewall) over the Internet. The allowed tunnel traffic is defined by the routing/policies of the associated vpn devices. Generally speaking, this means that the allowed traffic is from Host A (/32) to Host B (/32) since neither party wants to expose any more of their network than necessary. I cannot ping across the vpn from my Nagios server because it is not defined in the vpn routing/policy. I would have to contact each vendor and negotiate with them the addition of my Nagios Server ip address to their vpn tunnel. Not gonna happen. The vast majority of my VPNs allow ping from Host A to Host B so having my Host continuously ping their Host and report to my Nagios server via passive_checks should do what I want. I've got years of experience at Layer 3 and below but am really new to programming (Windows and Linux). If someone can point me toward some links that explain what I'm trying to do I believe that I can figure it out by reverse engineering and understanding the commands.

I guess my confusion right now is how to write a Windows script that will run the pings and provide an output to NSClient++ to hand off to Nagios. Thanks in advance for any pointers.

[hsmith]

Inside of your NSClient folder, there should be a folder named scripts. Inside of that folder, there should be a script named check_ping.bat.

If you modify your nsc/nsclient.ini to add/change the following, I believe we can easily achieve what you're looking to do.

Add:

Code: Select all

[/settings/external scripts]
allow arguments = true

Code: Select all

[/settings/external scripts/scripts]
check_ping=scripts\check_ping.bat $ARG1$ 

Change(maybe):

Code: Select all

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 0

to

Code: Select all

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

Now, from your XI command line, you should be able to do something like this:

Code: Select all

[root@xi libexec]# ./check_nrpe -H 192.168.5.229 -c check_ping -a 8.8.8.8
OK: Ping succeded
[root@xi libexec]# ./check_nrpe -H 192.168.5.229 -c check_ping -a 8.8.8
CHECK_NRPE: Socket timeout after 10 seconds.

Let me know if I missed anything, or if this is unclear.


In case you don't have check_ping.bat:

Code: Select all

@echo off
ping -n 1 %1 -w 20000 >NUL
IF ERRORLEVEL 2 GOTO unknown
IF ERRORLEVEL 1 GOTO err
GOTO ok
 
:err
echo CRITICAL: Ping check failed
exit /B 1
 
:unknown
echo UNKNOWN: Something went wrong
exit /B 3
 
:ok
echo OK: Ping succeded
exit /B 0

[Box293]

To extend on what @hsmith has said, here is a guide I wrote that explains some of this in more detail:

http://sites.box293.com/nagios/guides/n ... le-hopping

Let us know if any of this helps.

[GreyBeardGator]

Thanks for the info. I've been pulled off on another "hot" project but will get back to this next week. I'll let you know how this works out.