VPN Monitoring, Inside and Out
by May 16, 2017

Filed under: Networking Technology, Performance Monitoring

IT teams deploy VPNs to create a secure, private connection over the internet. The VPN is an essential technology in connecting employees to corporate apps when they’re not at the main campus. As remote and branch offices have grown, so has VPN availability and selection. This means that VPN performance is particularly important for employees at remote and branch offices, or anywhere outside of the main IT campus, like hospitals, hotels, retail stores and more.

A VPN is usually pretty reliable, which is appealing for IT teams supporting them. But they do experience problems connecting, such as when a VPN client’s connection is rejected. Beyond VPN connection issues, there are many common network issues that can slow down the performance of a VPN connection, but determining the root cause of the user complaints is often difficult. VPN monitoring for performance is hard with traditional tools like SNMP that are limited to, at best, the endpoints in offices with owned infrastructure.

How IT Teams Monitor the VPN

There are a few types of protocols used today to secure and encrypt VPN connections, including the widely used IPsec and SSL. For VPN monitoring, the first step—which you’re probably already doing—is to create a path between the source and target to monitor through the VPN connection. This helps teams understand if a heightened amount of latency, data loss or even an MTU black hole hop are contributing factors to poor VPN performance.

But what many IT teams aren’t doing is this: Further visibility can be achieved if the user creates a path around the VPN to the same target. This provides a comparison point for IT Ops teams to help identify where problems exist within the WAN. Due to the limitations of the VPN connection, the number of hops visible to monitoring tools will be restricted to hops preceding and following the VPN tunnel. However, the use of a comparison path that is not routed through the VPN will generally follow the same connection as the VPN while showing the L3 hops along the way. This method can be a good indicator of where a problem resides, whether with the VPN itself, with the underlying connection or within the LAN at either endpoint.

One of AppNeta’s customers, a security hardware provider, wanted to understand user experience over their VPN. To do that, they created paths over IPSec and SSL tunnels. Then they looked at the TCP responses using our Experience functionality to see how users are experiencing the VPN for web-based applications. Users can also use our Delivery feature to see continuous network analysis and combine that with Experience data for a full user picture.

Once you’ve got the VPN monitoring data, you can analyze it to see patterns that can help find and solve any recurring issues and cut down on user complaints.

Comparing VPN performance

Here’s a comparison of performance between two different VPN tunnels—one IPsec, one SSL—going to and from the same location.