Monitor and Troubleshoot the Nuage Networks Remote Network
Nuage Networks includes mechanisms to detect
issues with connections to an IKE gateway. To learn about these
mechanisms and how they keep your network functional, see the following
sections.
Nuage Networks Dead Peer Detection and Internet Probing
To detect issues with an IKE gateway for the
remote network connection, Nuage Networks VNS uses the Dead Peer
Detection (DPD) mechanism, in addition to using a probing mechanism
to probe internet services.
The probes are divided into two
hierarchical levels: Tier1 and Tier2. Nuage Networks initiates the
probe. The Tier 1 probe tests the connectivity of the remote network
connection to Prisma Access and the Tier 2 probe tests the connectivity
to the internet.
Each
connection is composed of an Active IPSec tunnel (priority 100)
and a backup IPSec tunnel (priority 200). The HTTP probes run on
both connections.
- Tier 1 Probe—Each Tier1 probe is associated to a weight (between 1 and 100%). For Tier1 to fail, the sum of the Tier1 probes that fail must be equal to or greater than 100%. If the Tier1 probe goes down, Tier 2 probe monitoring also goes down.
- Tier 2 Probe—The Tier 2 probe uses round-robin monitoring across a set of internet FQDNs. Consecutive probe tests must fail for the Tier2 probe to fail.
Create an HTTP Probe Object
To create an HTTP probe object, complete the
following task.
- In the Nuage Networks UI, selectPerformance Monitors.
- Create a performance monitor with the following values:
- Specify aHold Down Timervalue that defines how long the VSD waits for a response before it determines that the performance monitor is unsuccessful and switches to the backup tunnel. The default is 1000 ms.
- Specify aProbe TypeofHTTP.
After you clickCreate, the Nuage VNS creates two tiers: Tier 1 and Tier 2. There is no option to add or Remove tiers.
- Create Tier 1 URLs, specifying the following values:
- Down Threshold Count—Defines the number of consecutive failed probes before the VSD declares a state change and raises an alarm.
- HTTP Request Type—Specifies the HTTP request method used for the HTTP ping.
- URL Weight—Defines the percent weight for the URL within Tier 1. The sum of the URL weights in Tier 1 cannot exceed 100.
- URL—Defines the HTTP or HTTPS target. Specify one URL up to 2000 characters long.
- Rate—Defines the rate at which the probe sends probe packets to the destination target.
- Timeout (ms)—Defines how long the VSD waits for a response before considering a probe unsuccessful.
- Edit Tier 2 options to change the interval and timeout values of the Tier 2 probe by specifying the following values:
- Interval (s)—Defines the rate at which the probe sends packets to the destination target.
- Probe Timeout (ms)—This parameter defines how long the VSD waits for a response before it determines a probe to be unsuccessful.
- Down Threshold Count—This parameter defines the number of consecutive failed probes before the VSD declares a state change and raises an alarm.
- Create Tier 2 URLs with the following values:
- HTTP Request Type—Specifies the HTTP request method that is used for the HTTP ping.
- URL—Defines the HTTP or HTTPS target. Specify one URL up to 2000 characters long.
- After you create the HTTP probe object with Tier 1 and Tier 2 information, associate the probe to the active and backup IPSec tunnel.
The following condition must apply to associate a probe with an IKE gateway connection:- The remote subnet associated with IKE gateway must be 0.0.0.0/0.
- You must associate all local subnets with the uplink IPSec connection.
If you do not meet the preceding conditions, tunnel association fails.
Troubleshoot the Remote Network
Prisma Access provides logs that provide
you with the status of remote tunnels and the status of each tunnel.
To view these logs in Panorama, select .
To
debug tunnel issues, you can filter for tunnel-specific logs by
using the object identifier corresponding to that tunnel. The following
figures show errors related to tunnel misconfiguration and negotiation
issues.
