Dual-Session VPN Performance Monitoring
- How to configure two network monitoring sessions to monitor the VPN performance.
What you are going to learn:
A very common monitoring scenario is VPN performance monitoring. The objective of this monitoring scenario is to verify if the network performance is impacted by the VPN or not. In this article, you will learn how to configure VPN monitoring in the Obkio App to monitor VPN performance. The article refers to two Monitoring Agents called
HQ, located at the company headquarters, and
Remote, located either at a remote office or on a remote user's laptop.
Remote agent has its own Internet connection and a VPN tunnel is established to connect to the headquarters network. The VPN can be configured on the remote office's firewall or as a VPN client on the remote user's laptop, it doesn't matter.
Two Network Monitoring Sessions are required to be able to pinpoint if the VPN is affecting the network performance. One session will be configured inside the VPN and one session outside the VPN. Both sessions should use the same network path on the Internet. The only difference is that one session will go through the VPN (which will include encryption and decryption) and the other one will only go through the headquarters' firewall NAT.
With this dual-session monitoring, if both sessions are impacted by a Network Issue, this means that the degradation is common to both sessions so it's not related to the VPN itself. It can be the Internet connection at either locations (or in between) or it might come from the network devices at either locations. The Network Device Monitoring feature can help pinpoint if the issue is related to the network devices or not. The Traceroutes features can help pinpoint network path issues.
HQ agent mode must be configured as
Private Internet Server because one of the sessions will go through the public Internet. On the firewall (or router) facing the
HQ agent, port forwarding is required to forward the monitoring traffic from the Internet to the agent. Default network monitoring ports to forward are
23999/UDP. Learn more on the Firewall Configurations.
Remote agent mode should be configured as
Client Only because it's that agent that will initiate the connection to the
HQ agent. If for some reason the
Remote agent mode is different, make sure to adjust the
Client Selection Preference to make sure the
Remote agent is the client. Learn more on the Network Monitoring Role Selection.
Finally, to be able to configure a network monitoring session inside the VPN, both agents must be in the same Agent Network. By being in the same network, both agents will communicate with private IP addresses by default.
To create the two network monitoring sessions, two Network Monitoring Templates must be configured. The first one will go inside the VPN and is probably the one that is already in place if you have a working setup. There is no specific configuration to use the VPN because both agents are in the same network which will cause them to use their private IP addresses. When configuring the template, one agent must go in one list and the second agent in the second list.
The second template will create a monitoring session that will go outside the VPN. It is identical to the first template with one exception, the
IP Selection advanced parameter. Instead of the default setting, the
IP Selection must be set to
Public IPv4. This setting will override the Agent Network and the
Remote agent will initiate the connection to the public IP of the
HQ agent so the VPN should not be used.
If the VPN installs a default route that causes all the network traffic of the
Remote agent to go through the VPN, this dual-session configuration might not work. You must make sure that the
Remote agent uses the Internet to communicate with the public IP of the
Remote agent and not the VPN tunnel.