IPsec VPN Monitoring
Click 日本語 for Japanese
IPsec VPN Monitoring
Two flavors of Site-to-Site IPsec tunnels can be configured on Cisco SD-WAN powered by Meraki.
-
Auto VPN - Cisco proprietary automatic site-to-site IPsec tunnels.
-
IPsec VPN - includes Policy based IPsec tunnel, BGP over IPsec tunnel, Primary and Secondary tunnel and Multi-Uplink IPsec tunnel.
The guide covers monitoring for IPsec VPN tunnels. For AutoVPN tunnel monitoring, see Auto VPN tunnel monitoring.
|
IPsec VPN tunnel types |
Description |
Firmware support |
IPsec status |
Tunnel Monitoring |
|---|---|---|---|---|
|
Policy based |
Static routed IPsec tunnels with no health checks configured |
6.x+ |
Yes |
N/A |
|
BGP over IPsec |
Dynamically routed IPsec tunnel with a BGP peer over the tunnel |
19.1+ |
Yes |
N/A, use dynamic protocol status |
|
Primary and Secondary |
Static routed IPsec tunnels with L7 health checks configured |
19.1+ |
Yes |
Yes |
|
Multi-Uplink IPsec |
Static routed IPsec tunnels with L7 health checks configured and Multi-Uplink IPsec enabled |
19.2+ |
Yes |
Yes |
VPN Status
For monitoring IPsec VPN peers, navigate to Security & SD-WAN > Monitor > VPN Status – IPsec VPN tab.
On the VPN Status page the IPsec status for each peer is shown. Tunnels with a L7 health check configured will have monitoring statistics on the Tunnel monitor details page. The details page will reveal the following additional information regarding the peers tunnel performance:
- Current IPsec status
- Real time & historical Health check information
- Real time & historical Usage, Latency, Loss and Jitter
Primary and secondary tunnels will only have IPsec and Health check connectivity details over one uplink. However when Multi-Uplink IPsec is enabled, there will be tunnel statistics for each active uplink.
Tunnel details
Routing decisions
Routing is determined by the status of the health check. If the status is green, traffic will be routed over the tunnel. If it's red, traffic will be routed to a working tunnel.
|
Tunnel type |
IPsec status meaning |
Health check meaning |
Routing verdict |
|---|---|---|---|
|
Primary and Secondary |
Red - IPsec Phase 1 and Phase 2 are both down |
Red - Health check is down. Probe failed |
Not routing |
| Amber - IPsec Phase 1 is up, but Phase 2 is down | Red - Health check is down. Probe failed | Not routing | |
| Green - IPsec Phase 1 and Phase 2 are up | Green - Health check is up. Probe passed | Routing | |
|
Muti-Uplink IPsec (tunnels over two uplinks) |
Red - IPsec Phase 1 and Phase 2 are both down on all uplinks |
Red - Health check is down on all uplinks. Probe failed |
Not routing |
| Amber - IPsec Phase 1 is up, but Phase 2 is down on at least one uplink | Amber - Health check is down/probe failed on at least one uplink | Not routing if down on all available uplinks. Routing on established uplink if present | |
| Green - IPsec Phase 1 and phase 2 are up on all uplinks | Green - Health check is up/ probe passed on all uplinks | Routing |