Check_MK Parent/Child configuration for AWS VPC VPN

This solution was required on a network where there was a Pfsense Gateway with dual IPsec Tunnels to an Amazon VPC. Each time there was a VPN outage (Either caused by broadband failure at the office, or Amazon maintenance) there was over 200 notification emails sent (For servers being inaccessible then accessible again from the Check_MK server at the office).

The soultion is a bit “Rough and ready” due to time constraints but it is working well now.

Setting up Pfsense Monitoring Script

Check_MK monitoring was already in place on the Pfsense server (Called via a remote script as per below – I updated the Check_MK bsd script slightly to look for the “local” subfolder within “scripts” and wrote the following simple script to check how many Ipsec Tunnels are currently up.

( "ssh [email protected] -p 22 /scripts/check_mk_agent.freebsd", [ 'aws-vpn' ] ),

The ipsec monitoring script:


ipsecCount=$(ipsec statusall | grep "Security Associations" | awk {'print $3'} | sed 's/^(//')
if [ $ipsecCount -lt $warn ]; then
st="less than $warn IPsec VPNs Connected"
st="All VPNs Dialled ($ipsecCount)"

echo "$s vpn-status count=$ipsecCount;$crit;$warn;0; $st"

Configuring Check_MK

The next stage was to configure Check_MK to use this vpn-status as the “Host Check” for the AWS VPN connectivity. The way I did this was by creating a dummy host in Check_MK (called “aws-vpn”) with the same IP address as the Pfsense server. I then inventoried the new host and removed other checks from there (So vpn-status was the only check on the host).

Next, within, I set up host_check_commands – To specify the dummy VPN host and the service that it should use to advise on the hosts status:

host_check_commands += [
( ("service", "vpn-status"), [ "aws-vpn" ], ALL_HOSTS ),

Next (Also within the file) I setup the parent structure for the AWS machines. I added the tag “aws” to each of the AWS hosted machines (Eg below)


The parent configuration as below will set the aws-vpn server as the parent for all machines with this tag:

parents = [
( "aws-vpn", ["aws"], ALL_HOSTS ),

Reload Check_MK to apply

cmk -O

Checking the hosts on Check_MK now show them as having the parent of “aws-vpn”. The final thing to check is that your notification settings are not set to alarm on “Unreachable” as this will be the status your “child” hosts will be in when the VPN “Parent” check is down.

Any comments or questions? Get in touch here or Email me at [email protected]