Overview

VPN Monitoring provides visibility into the health of IPsec VPN tunnels, including tunnel uptime, traffic volume, packet drops, and crypto/authentication failures. When enabled, the Atatus Infra Agent collects these metrics through the SNMP integration and displays them directly inside Network Device Monitoring (NDM).

When VPN Monitoring is active, the agent gathers:

• Active tunnel state
• Tunnel uptime
• Tunnel traffic (inbound and outbound bytes & packets)
• Authentication failures
• Encryption and decryption errors

These VPN metrics can be collected from:

• Individually configured SNMP devices
• Autodiscovered SNMP devices (subnet-based)

Requirements

Current Limitations

Only Cisco IPsec VPN Tunnels (CIPSec MIBs) are supported.

Device must expose standard Cisco VPN SNMP OIDs.

Configuration

VPN monitoring is enabled through the collect_vpn setting.

Configuration file path /etc/atatus-infra-agent/conf.d/snmp.d/snmp.yml

1. Enable VPN Monitoring Globally

Add under snmp init_config:

snmp:
  init_config:
    use_device_id_as_hostname: true
    collect_vpn: true       # Enable VPN tunnel data for all SNMP devices

  instances:
    - ip_address: "1.2.3.4"
      community_string: "sample-string"

      tags:
        - key1:val1
        - key2:val2

Use this if all devices should report VPN tunnel metrics.

1. Enable VPN Monitoring Per Device

If you only want certain devices to report VPN metrics:

snmp:
  init_config:
    use_device_id_as_hostname: true

  instances:
    - ip_address: "1.2.3.4"
      community_string: "sample-string"

      collect_vpn: true     # Enable VPN only for this device

      tags:
        - key1:val1
        - key2:val2

This is useful for mixed environments with both VPN and non-VPN devices.

Metrics Collected

Below are the IPsec VPN SNMP metrics collected when VPN Monitoring is enabled:

Restart the Agent

sudo systemctl restart atatus-infra-agent