RE: [NV-L] Monitoring devices through VPN tunnels

To:	Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Subject:	RE: [NV-L] Monitoring devices through VPN tunnels
From:	James Shanks <jshanks@us.ibm.com>
Date:	Thu, 1 Mar 2007 09:28:06 -0500
Delivery-date:	Thu, 01 Mar 2007 14:35:34 +0000
Envelope-to:	nv-l-archive@lists.skills-1st.co.uk
In-reply-to:	<E40157D80C23A3469170ABB853BD09C015D5D2@MDCTXUEXCL01N1.corptxu.txu.com>
List-help:	<mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id:	Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post:	<mailto:nv-l@lists.ca.ibm.com>
List-subscribe:	<http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe:	<http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
Reply-to:	Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender:	nv-l-bounces@lists.ca.ibm.com

Mario,

Did you not see the reply from Stephen Hochstetler yesterday about noon? It seemed pretty succinct to me. I've added it below.

By itself, NetView does not deal with VPNs and NAT'd addresses. Unless you get real addresses from across the VPN you cannot just add the devices to the seed file as Blaine did. So you have to settle for less than full monitoring or use CNAT as Stephen suggested. That's one of the reasons why IBM is replacing NetView with Precision IP.

James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp

=======================================================================================================================
Mario,

Since the devices behind VPNs are not in ARP or routing tables you will likely need to use the NetView command loadhosts to actually discover them. If the VPN gets you access to real addresses then you can do full management of these devices. If the VPN is also a NAT device, then you will run into issues.

If you are seeing NAT addresses you have 3 choices.
-- manage them for availability with PING only with NetView (and discover them as non-SNMP devices using loadhosts)
-- Use CNAT to manage them via SNMP and PING
-- migrate to Netcool Precision for IP to manage them (I am told by the Precision guys that they can handle this)

Question -- is the NAT a static one-to-one address mapping that will not change? Will it change if the routers are rebooted? For managing them, their NAT addresses have to be static so you can do the mapping and stay mapped.

Unless you use CNAT or Netcool you will have a hard time monitoring them based on MIB variable thresholds. You can do 'some' of it, but it is not a simple task.

Stephen Hochstetler shochste@us.ibm.com
International Technical Support Organization at IBM
Office - 512-838-6198 (t/l 678) FAX - 512-838-6931
http://www.redbooks.ibm.com

<Blane.Robertson@capgeminienergy.com>

<Blane.Robertson@capgeminienergy.com>
Sent by: nv-l-bounces@lists.ca.ibm.com
03/01/2007 09:08 AM

Please respond to
Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>

To

<nv-l@lists.ca.ibm.com>

cc

Subject

RE: [NV-L] Monitoring devices through VPN tunnels

How I did it was to add an entry into my netmon seed file for that device. That way, it’ll get into the map no matter what (as long as it’s a unique IP, that is). I also kept all my devices in my /etc/hosts too, but that shouldn’t be necessary as long as your DNS is pretty quick/responsive.

Peace,
Blane Robertson
Capgemini / Dallas
Enterprise Systems Management/ Capgemini Energy
Office: +1 214 879 1666/ www.us.capgemini.com

Whether you think you can, or you think you can’t, you’re right! – Henry Ford

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of Mario Behring
Sent: Thursday, March 01, 2007 7:03 AM
To: NetView List
Subject: [NV-L] Monitoring devices through VPN tunnels

Hi all,

Any advises on the above subject? I have several devices behind VPN tunnels that I have to monitor for availability as well as configuring events based on MIB variables thresholds......

I am having some difficulties like:

some devices (routers mostly) are not being discovered by NV, but they answer ping and snmpwalk commands issued at the command line at the NV server.
different clients connected through VPN tunnels have similar IP ranges, so the addresses the NV server actually see are NAT addresses.

How can I work around these isues? Do I have to use CNAT? Is there any special configuration for NV to deal correctly with devices behind VPN tunnels?

Most tunnels are configured through PIX/ASA Cisco devices, and some through routers.

I am running NV 7.1.5 on a Red Hat 4 server.

Thanks in advance.

Best regards,

Mario Behring

Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games._______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.comhttp://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only)

_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)

<Prev in Thread]	Current Thread	[Next in Thread>
[NV-L] Monitoring devices through VPN tunnels, Mario Behring RE: [NV-L] Monitoring devices through VPN tunnels, Blane.Robertson RE: [NV-L] Monitoring devices through VPN tunnels, James Shanks <= Re: [NV-L] Monitoring devices through VPN tunnels, Mario Behring Re: [NV-L] Monitoring devices through VPN tunnels, Stephen Hochstetler

Previous by Date:	RE: [NV-L] Monitoring devices through VPN tunnels, Blane.Robertson
Next by Date:	RE: [I] Re: [NV-L] Fixpack 5 install, Phillippie, Eddie
Previous by Thread:	RE: [NV-L] Monitoring devices through VPN tunnels, Blane.Robertson
Next by Thread:	Re: [NV-L] Monitoring devices through VPN tunnels, Mario Behring
Indexes:	[Date] [Thread] [Top] [All Lists]