Software-defined WAN (SD-WAN) is a suite of features designed to provide robust connectivity to optimize quality and availability of critical networks services like VoIP. In order to understand Dynamic Path Selection decisions, as well as to aid creating and tuning performance rules, it is important to understand the connectivity metrics of the AutoVPN tunnels.
Monitoring is available from the VPN status page. To view AutoVPN tunnel metrics between two AutoVPN peers, navigate to Organization > Monitor > VPN Status, or navigating to the Security Appliance > Monitor > VPN Status tab.
The Organization-level VPN Status page will display all sites configured for AutoVPN in the organization. From this page, click the network you wish to view. Selecting the link from the Security Appliance tab will provide VPN status information for the current network.
From an individual network, clicking on the row entry for a site-to-site VPN peer will display VPN statistics between the current network and that remote VPN peer.
It is also possible to view the per-peer-pair AutoVPN tunnel monitoring statistics from the Uplink Decision entry in the Uplink decisions table.
Using the Page
An SD-WAN-enabled MX will form concurrently active AutoVPN tunnels across both of its uplinks to each of its individual AutoVPN peers' uplinks. The per-peer AutoVPN monitoring information provides data on each tunnel formed between the two MXs. This can be between two tunnels from a branch location, such as with dual WAN uplinks to a one-armed VPN concentrator in the datacenter, or four tunnels in the case of two MX VPN peers with dual WAN uplinks.
Currently, per-peer-pair AutoVPN tunnel monitoring information is only available for MX appliances with dual WAN uplinks. In a hub & spoke deployment using an MX serving as a one-armed VPN concentrator as the VPN hub, monitoring must be done from the perspective of the spoke sites.
The per-peer-pair AutoVPN tunnel monitoring page contains 3 main components. The navigation pane, the view summary, and the statistics. These are described in more detail below.
The navigation pane allows you to change the scope of tunnel statistics being viewed. You can toggle the data displayed between only showing data for Uplink 1 (the Internet 1 port), only showing data for Uplink 2 (the Internet 2 port), and viewing data for All uplinks.
Additionally, the navigation page allows you to select the time range that data should be displayed for: the past 2 hours, the past day, the past week, and the past month.
The view summary provides context about the VPN statistics being viewed.
The top of the view summary panel displays which pair of MXs VPN peers data is being viewed for. The first MX listed represents the site reporting the data in the statistics panel. The second indicates the MX VPN peer this statistics are relative to.
In this example, VPN performance statistics are being gathered by the MX appliance in the San Francisco dashboard network. Statistics are displayed for all VPN connections from the San Francisco appliance to the Sydney appliance.
The amount of loss, latency, and jitter observed by an appliance will likely vary based on the geographical location and quality of WAN connection of its VPN peer. In the case of the San Francisco appliance, the VPN performance statistics would likely be different between a site-to-site VPN peer local to San Francisco, an appliance deployed in Sydney, and another deployed elsewhere. Subsequently, statistics are available per VPN peer pairing.
The view summary also lists any custom performance classes that have been defined in the Security Appliance > Configuration > Traffic Shaping page.
Hovering over a particular custom performance class will provide color highlighting over the graphs to provide an at-a-glance indication of how the VPN tunnels performed in relation to the performance classes defined on the MX.
VPN peer statistics are graphed in blue. Hovering over a custom performance class casts a light green overlay on the statistics. In this example, no VPN connections over the Branch - Sydney MX's uplink 1 satisfied the "Phone test" performance class in the past two hours. While jitter and loss are within the configured thresholds, the plots for latency exceed the performance threshold specified.
Statistics are discussed more in the section below.
The configured VPN flow preferences are also listed in the view summary for reference. Preferences can be configured and modified from the Security Appliance > Configuration > Traffic Shaping page.
For the selected uplink and time summary (specified from the navigation pane), latency, jitter, loss, and MOS score metrics are provided. For each metric, the average, minimum detected value, and maximum detected value are also presented. The average, minimum, and maximum values are calculated using data in the specified time threshold.
VPN statistics are represented based on uplink pairings. The first column displays the VPN tunnel performance information for VPN connections using Branch - Sydney appliance's uplink 2 (WAN 2) and the Branch - London appliance's uplink 1 (WAN1). The second column shows performance information for VPN connections using Branch - Sydney appliance's uplink 2 (WAN 2) and the Branch - London appliance's uplink 2 (WAN2).
There may be some variance in statistics based on the remote VPN peer's uplink. In some cases this may be due to differences in service provided for the uplinks or other WAN conditions. In the example above we can see that the Branch - Sydney appliance has a better overall VPN connection using its second uplink to the Branch - London appliance's first uplink.
Hovering over a point on one of the graphs will display the timestamp and value for each tracked metric, at that point in time. This allows a quick assessment of all tracked metrics for a point in time.
How are these metrics calculated?
The AutoVPN tunnel statistics presented in the per-peer SD-WAN monitoring page are calculated based on performance probes that are consistently sent across each established VPN tunnel.