Juniper SRX VPN Monitor

Juniper SRX VPN Monitor

Juniper SRX has a great subset of SNMP Mibs for monitoring the device remotely. One of these is JUNIPER-IPSEC-FLOW-MON-MIB, which provides feedback on IKE Phase 1 and IPSec Phase 2 configured tunnels on the SRX. This saves having to login to the SRX to check the state of tunnels, and presents a nice Juniper SRX VPN monitor.

The end-result is below.

Juniper SRX IKE/IPSec Remote Monitor
IKE Phase 1 Tunnel State

There’s a script (updatedpeers.php) which pulls the currently working Phase 1 IKE associations from the SRX every 5 minutes using a cron script.

I call this file in cron like so –

*/5 * * * * (/usr/bin/php /var/www/juniperike/updatepeers.php)

This will update the MySQL database tables with the parsed output of OID (jnxIkeTunMonState, 1.3.6.1.4.1.2636.3.52.1.1.2.1.6). I did try using the jnxIpSecSaMonState OID, but unfortunately, this proved very unreliable for some reason, so instead I used the IKE (Phase 1) state which is both reliable, and should be there for a healthy security association anyway.

The data from the MySQL tables is pulled using another PHP file (status.php), and displayed on the page, which refreshes every 60 seconds.

If you need to add more remote peers for monitoring, this is possible via an additional PHP file (add_tunnel.php)

Juniper SRX IKE/IPSec Remote Monitor
Add new IPsec Tunnel

The PHP file, blank MySQL Tables and a short README file are available for download below –

juniperike – SHA256 sum – 26d9a294611b76eda7958982d17cbfe2ca14e0696fa2abfe108e460f6671d9ab

We use a similar page I wrote at the company I work for which monitors the tunnels on multiple customer SRX firewalls.

Enjoy!

Leave a Reply