The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Computer networks are an important part of business enterprises. For example, networks that are distributed over a wide geographic area can allow a head office of an enterprise to communicate with remote offices and to share critical data, thereby increasing the overall efficiency of the enterprise. Thus, managing the network, to ensure that it is operating at peak condition, is crucial.
One important aspect of network management involves monitoring the availability of network resources. For example, a broadband connection that links a head office to one or more remote offices, and its endpoint devices such as routers and switches, is typically monitored and managed carefully. Close management is necessary because if the connection between the head office and remote office is not operational, then the remote office, and all the information residing at the remote office, is unavailable as a resource. Therefore, it is important that there be an effective way to monitor the availability of resources in a network.
A virtual private network (VPN) link of a head office to a remote office is a specific example of a network connection that is critical to the proper operation of an enterprise, and that requires careful management. A network manager may be specifically interested in having ways to determine whether network users can access remote resources that are accessed through a VPN. To have this knowledge, the network manager needs to know whether the VPN link is active. Determining whether the VPN link is active normally requires monitoring whether endpoint nodes, such as routers, are active and available.
One approach for monitoring the availability of network resources is the “keepalive” approach. In the keepalive approaches, a server or some other designated unit in the network periodically polls the resource to be monitored by sending a “keepalive” packet to the resource and waiting for a response from the resource. If there is no response, then the server retries the resource for a specified number of times. If there is no response after the specified number of times, then the server gives up and determines that the resource is unavailable.
For example, the Internet Key Exchange protocol, which is defined by IETF RFC 2409 and typically implemented with the IPsec suite of protocols, uses a keepalive approach to maintain IPsec tunnels. Another implementation of the keepalive approach is used to maintain Generic Routing Encapsulation (GRE) tunnels.
This approach, however, can become unmanageable as the network grows larger. The unit designated to do the monitoring must be pre-configured with a database of the addresses of all network resources to be monitored, and the polling configuration for each resource. As the network grows, the database can become unreasonably large and difficult to manage. Further, all changes must be propagated to the database, complicating management. In addition, sending keepalive packets to and from the resources in the network can impose an unreasonable burden on the network as the network grows larger and there are more resources in the network to monitor.
Another approach involves polling, in which a “ping” packet or the equivalent is sent to a remote device. In response to receiving a ping packet, the remote device is required to respond. One implementation of this approach is provided by an IPsec pinging facility in virtual private network monitoring products from Netscreen. However, this approach requires a response from the unit that is monitored. As a result, additional traffic is introduced into the network.
In another approach, “hello” packets may be used, as in the Enhanced Interior Gateway Routing Protocol (“EIGRP”) provided by Cisco Systems, Inc., San Jose, Calif. EIGRP hello packets are sent via multicast to all nodes in the network.
Based on the foregoing, there is a clear need for a way of monitor the availability of network resources that is more scalable with the size of the network.
There is a particular need for such a method in large virtual private networks with a head end and many remote sites.