AppNote: NBM 3.8 VPN Monitoring: New Features and Usage Tips
Novell Cool Solutions: AppNote
By Chitra Atul Gurjar
Digg This -
Posted: 15 Jan 2004
Chitra Atul Gurjar
Senior Software Engineer
Novell BorderManager 3.8 (NBM 3.8) features a new monitoring mechanism for VPN services. VPN monitoring is a central repository of VPN services information. It can be accessed using the Novell Remote Manager interface. This paper would be useful for those administrators who plan to deploy NBM 3.8 or have already deployed NBM 3.8 VPN services. This paper is pictorially driven, with notes to substantiate the images.
Table of Contents
- 1. Introduction
- 2. Using the monitoring mechanism
- 3. Options for VPN Monitoring
- 4. Help
- 5. Advantages of Monitoring
- 6. Troubleshooting Information
- 7. Limitations
- 8. Additional Information
The intent of this AppNote is to feature the new monitoring mechanism for VPN services.
Intended Users - All administrators that plan to have, or already have NBM 3.8 in their VPN. Any other users of the product NBM 3.8<./p>
A remarkable feature for this release was that VPN monitoring for the new IPsec based VPN of NBM 3.8 became web-based. This was done using the existing NRM framework. Since the configuration for VPN was totally iManager (web) based, it seemed a logical step to facilitate monitoring of the VPN via a browser.
The VPN monitoring mechanism is a one stop viewer to see all the information associated with the VPN. Some additions for monitoring for NBM 3.8 VPN included -
- Client disconnect
- All IKE related information
- Policy level information for real time connections
- NMAS authentications and IKE related statistics
- Flexibility of setting level of audit log on the VPN server
Levels of information and details are more than adequately captured with the option for any user to choose up to what level the logs are required. Complete monitoring of both Client-to-Site and Site-to-Site is possible.
The monitoring is best viewed via the IE browser (version 5.5 and above).
First ensure that the vpmon.nlm is loaded on the server on which monitoring is to be done. This runs as a NetWare Loadable Module and interfaces with the NRM framework to provide the monitoring functionality for the VPN services from the browser using the NetWare Remote Console.
Monitoring is NRM based and operates on secure port 8009. Users can begin monitoring by first authenticating to the server - usually the master server via the interface shown below. (Fig. 1)
Fig. 1 - Authentication screen for NetWare Remote Manager
The VPN master server can be used as the starting point from where monitoring of the VPN is done. The entire VPN can be viewed from the master server. If only a single slaves' statistics need to be monitored, the user can authenticate only to that slave.
The format for invoking the authentication is - http://
Else, the user can directly provide the URL https://
The VPN monitoring for NBM 3.8 is similar to what was available in previous versions of BorderManager prior to NBM 3.8 (via NWAdmn). The user of the new interface for monitoring will find the navigation and associated options similar to previous versions of BorderManager. The screen shots in this document will indicate the similarities.
Only admin users or a user equivalent to the administrator can monitor or administer the VPN. Once the user has been authenticated - The NetWare Remote Manager page is displayed. The VPN monitoring option is available at the bottom of the left pane as depicted here.
Fig 2 - Option for NBM Monitoring
Note: This is a cropped view of the left pane.
Selecting the monitoring option (Fig 2 - Fig 3) indicates what will be displayed. This screen is visible only in the case of monitoring done via the master server. For a slave server, the options menu page is directly displayed.
Fig 3 - View of VPN from master server
This is a four server VPN with one master and three slaves. The columns indicate:
- Server names (member names - same as what has been configured by the user during VPN server configuration. Need not be the same as the server name)
- Who they are (master/slave)
- IP Addresses (these are the IP Addresses on which the VPN server has been configured)
- Status of each server
An up-to-date server has been synchronized with the master and the other servers in the VPN. A server that is "Being Configured" can mean a number of things, for example some of the things it could mean is:
- Master and Slave server are not synchronized with each other
- There is a change in the Master server configuration that has not yet been pushed to the slave server
- The master server typically pushes information regarding the root certificate, traffic policies, 3rd party policies, member information and information about other slave servers. If all or any one of these has not been received, then this state occurs
All servers in the VPN can be brought "Up-to-date" by using the option to "Synchronize all Servers". This option pushes all information present with the master at that time to all slaves. The Service Configuration Manager (SCM) receives the information. All configuration changes are first received by the master server and then pushed onto the slaves. If the information is not pushed to the slaves, the action of synchronization "force" pushes the configuration (and changes if any) to the slave servers.
Synchronization of all servers can only be done via the master server. Individual servers can be synchronized too by selecting them accordingly.
There are three options available with each server as shown in Fig 4:
- Real Time Monitor
- Audit Log
Fig 4 - Options for monitoring any selected server
Real Time Monitor shows all the members (Fig 5) of the VPN along with packet information. In this instance of the VPN, an NBM 3.7 server is present in the environment. The Key Management Type is indicated as SKIP. Clients connected to any server can also be viewed here.
Note: When any one of the servers is unable to get connected to the network, or there is a link failure, the following error is displayed against that server for Key Management Type - Unknown type 0
Fig 5 - Real time monitor information of all members (clients and servers) in the VPN
In Fig 5 the client-to-site connection shows an "assigned" IP Address. This is a new feature in the NBM 3.8 VPN. This is the IP Address that a client is "assigned" by the server once a connection is established with that server. This IP Address is taken from a pool of IP Addresses during server configuration.
Fig 6 shows real time information for any client or server selected from the list of Fig 5. The Page Refresh interval (right side of screen) shows the default time of refresh of the page to be 30 seconds. This can be set by the user to a desired value.
Fig 6 - Real Time information for a selected server/client of the VPN
When any server is selected the above snapshot shows the information that can be viewed for each server. The new features of this screen are:
- The active policies configured for each server are shown here. These are the active traffic rules enforced for a connection. The packets passed out due to each rule can be observed by clicking on any rule for the details.
- As observed above, two of the Key Life Times are identical. This means that they have been re-keyed, freshly created, or the policy is about to expire. The old one is yet to be fully expired and hence both are shown.
- All IKE related information such as Key Life Time, Key Changes and Authentication Method.
In Fig 5, a client is also part of a client-to-site connection. When the client is selected, a screen similar to Fig 6 is displayed with client information and active policies associated with that client.
Fig 7- Audit Log Information
The Audit Log information is similar to what it was for earlier versions of BorderManager, only with NBM 3.8 it has more features for the user. The new features added here are:
- Users have the option of setting parameters for log level, and server options as mentioned in the Audit Log Provider (Top left hand corner). This allows the user to select precisely what is to be viewed and up to what detail. The previous version of Border Manager displayed everything. This option makes it easier to filter out information from the logs. Granularity of log levels is more.
- IKE information is displayed.
The "i" and "-" in Fig 7 against each of the audit log messages indicate information log and error log respectively.
This screen shows all the details of the audit logs irrespective of what gets logged in CSAudit.
Note: If any changes are made to any of the attributes in the boxes, click acquire to get the latest information.
Setting of desired detail level in Audit logs is possible. Select the "Log Level" (Fig 9) button to set the level of detail. The user can choose the set the Audit Log Selection Type options, such as:
Depending on what level of log selection the user makes here, the information gets written into CSAudit on each server in the VPN.
Fig 8 - Audit log details for a selected serve
Fig 9 - Setting Log Level
Activity screen displays all members of the VPN. Connection details of each of the members can be viewed by selecting the desired server using the appropriate radio button alongside the server. Global statistics pertaining to each server are displayed on the right half of the screen. The new features are:
- IKE related statistics such as Main mode attempted count and quick mode failure count.
- Successful NMAS authentications and failed NMAS authentications.
Fig 10 - VPN member activity
Clients and client-to-site connections between any client and the selected VPN server are visible. From the screen of Fig 10, if the user selects the "clients" button, a screen exactly like Fig 10, of clients connected to the selected server will be displayed (Fig 11).
A new feature here is:
- It is possible to even disconnect clients from the network using the option for that on the screen displaying the connected clients. Limitation to this - 3rd party client information is also visible but disconnection of these clients is not possible.
Fig 11 - Associated client-to-site connection for a VPN server
Client information is visible in a manner similar to that for the servers with every statistic pertaining to that particular client also available. The new features are:
- Details regarding the NMAS authentication are available (successful and failed authentication).
- Details for x.509, LDAP and backward compatibility options are also displayed.
Help is available for every screen with all options of the screen detailed. Help can be accessed via the "i" icon present on the top right hand corner of the screen title bar. As observed the help options are easily identified since each option is described with respect to the icon associated with it as shown on the screen.
Activity screen help -
Fig 12 - Help for any screen - example VPN member activity
- Any server configured behind a NAT can also be monitored via this service. On the real time monitor, the NAT'ed IP address against which the VPN server has been configured will be displayed.
- Any client behind a NAT will be shown in the same manner as the client information in the snapshots above. The ip address information will only show the NAT'ed interface along with the assigned ip address for that client.
- Trouble shooting for any administrative user becomes easier since the whole VPN is visible through the browser interface. Messages for problems are descriptive and facilitate easy debugging. The messages displayed on the audit log monitoring console are easier to read and displayed in a better manner than the console debug options.
- NetWare 5.1 servers that are present in the VPN can also be viewed here putting to rest the concern that they may require a different monitoring mechanism or a reversal to NWAdmn.
Some practical uses of VPN monitoring for troubleshooting:
- Any slave server in the VPN is down -
- Select that server from the list of servers in the VPN (scr1) and select the option to synchronize selected servers. This will force the master to push the information to the slave server
- Select all servers and select option to synchronize all servers.
Fig 13 - Troubleshooting when a connection is down or Site-to-Site connection is not up.
- The number of packets transmitted stops increasing
- The SA's will expire and this will be indicated in the real time monitor for any server. After this the information on the Real Time Monitor will indicate the Key Management Type field to be of "Unknown Server Type 0"
- 3.7 servers in a VPN can be monitored and synchronized only through NWAdmn.
- Third party clients cannot be disconnected using the client disconnect option.
For VPN configuration and administration:
VPN deployment FAQ:
Configuring VPN - Easy Reference Pages:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com