Obsolete:Monitoring/strongswan
Appearance
This page contains historical information. It may be outdated or unreliable.
IPsec connections are monitored today using a combination of prometheus-ipsec-exporter and icinga.
A per-site alert will fire via Icinga check_prometheus should one or more defined IPsec tunnels change to disconnected, unknown, or other non-connected state.
Troubleshooting an issue
- Review the alert description text carefully. You should see some hint about where the problem lies here.
- e.g. alert text of "instance=cp1081:9536 site=eqiad tunnel={cp3060_v4,cp3060_v6}" indicates that there is a problem with the tunnels to cp3060 being reported by host cp1081.
- Check the IPsec Grafana dashboard
- Investigate any ongoing non-zero values.
- Look for commonality, e.g. do multiple instances report problems with the same tunnel?
- Write more about what you did to troubleshoot the issue in this runbook :)
- Tell the traffic team about it