CustoSec:Check ICMP

From CustosecWiki
Jump to navigation Jump to search
caption
Basic Information on Check
Name of Check ICMP Technical Name check_icmp
Available in Standard Number of Arguments 0
From Version ARANSEC 1.2 Compability All ARANSEC and CustoSec



Scope of Check

This is an easy-to-use standard check to check the network connectivity to a Host within the local network or the internet. By doing so, it has 2 different scopes of application:

  • To check the network connectivity (in this case it is implemented as a service check)
  • To check the availability of a Host (when implemented as a host check)

The check sends a series of ping’s (based on the ICMP protocol) to the targeted host and waits for an answer. WARNING and CRITICAL values are fixed and cannot be changed.

Requirements

For the check to work properly the following requirements must be met:

  • the check is configured as a service check on the target host that should be monitored (for network connectivity) or
  • the Check is implemented as a Host Check to check the availability (standard setting in ARANSEC/CustoSec)


Arguments

There are no arguments for this check.


How the Check works

As a Service Check: The check will send 5 ping’s (echo requests) to the targeted host, once it is executed. The ping’s are sent out as fast as possible, where one ping is only sent when the previous ping has got an answer or latest after 80.000 milliseconds (80 seconds). Out of the answers (echo responses) it is calculating the check result as an arithmetical average. The output contains the following information:

  • IP-Address or hostname of the targeted host;
  • rta (Round Trip Average) in milliseconds (ms). This is calculated based on the RTT (Round Trip Time) of each single ping. The (fixed) threshold for WARNING is 200.000 ms (which equals 2 seconds) and for CRITICAL is 500.000 ms (5 seconds);
  • lost (packet loss) in percent (%): A packet is declared lost if the ICMP message has been discard on the way or if it is returned after the timeout value equal to 2 seconds. Packet losses will lead to a high TCP retransmission rate with the consequence of a slow or interrupted network application. In a LAN environment there shouldn't be any packet losses (cited after www.openmaniak.com/ping.php). The check itself will provide the average calculated out of the 5 ping’s it does. The WARNING threshold is 40% and the CRITICAL threshold is 80%.

As a Host Check: For a host check there is no need to test the time to answer. All you want to know in this case is if the host is alive or not. The check will also send the ping’s and wait for an answer. But after the first echo reply (answer) that he gets, the check will deliver an "OK". Reason is to keep workload for the monitoring system as low as possible.


Returned Values of the Check

The Check returns the following values and information (Check ICMP - other variants of the ICMP checks work accordingly).

Status Output Remarks
OK rta=0.014ms;200.000;500.000;0; pl=0%;40;80;; The output contains the Status, the IP Address of the targeted hosts; the rta (return time average) in milliseconds and the lost packages in %. The rest of the string contains the rta and the packet losses together with their WARNING and CRITICAL thresholds.
WARNING rta=0.021ms;200.000;500.000;0; pl=50%;40;80;; WARNING is issued, because the packet loss was 50% and the WARNING threshold is 40%.
CRITICAL rta=653.153ms;200.000;500.000;0; pl=50%;40;80;; CRITICAL is issued, because the rta was 653.1534 milliseconds which is more than the Critical threshold; the packet loss was 50% and the WARNING threshold is 40%, so there would have been a WARNING as well, which is not issued because the status became CRITICAL anyway.


Overview ICMP Checks

ICMP Checks come in different variants. There are 3 versions with fixed WARNING and CRITICAL thresholds. They are designed to be easy and quickly to use.
All of these checks can be used as host or service checks.


ICMP Checks with fixed thresholds:

Check RTA-WARNING (ms) RTA-CRITICAL (ms) Lost Packets WARNING Lost Packets CRITICAL Remarks
Check ICMP 200.000 500.000 40 80 Standard settings
Check ICMP High 1200.000 1500.000 25 30 Usually longer RTA lead to less packet loss
Check ICMP Very High 3000.000 6000.000 50 80 Very high values.


Besides these Standard Checks, there are 2 versatile checks available with arguments to set WARNING and CRITICAL thresholds as needed.

Check Argument 1 Argument 2 Argument 3 Argument 4 Argument 5 Remarks
Check ICMP Free WARNING Thresholds CRITICAL Threshold Read more on the check's site
Check ICMP Free Packets Packet Intervall Packets Timeout WARNING CRITICAL Read more on the check's site


Notes

  • Just to make it clear: The notation for milliseconds is: 1000.000 for one million, with the "." dot as a thousands separator at the first thousand.
  • This check can also be used to monitor a website. in this case the website has to be configured as a host and ICMP Check as a Host and/or Service Check.


Known Issues

In large networks with a big number of hosts that are all being monitored with this ICMP check and a short check interval, it can lead to problems with the routers and switches. This is a typical scenario:
There is a host group containing 400 hosts and this host group has an ICMP check as a service check with a check interval of let's say 2 minutes.
The check will return a lot of these hosts as CRITICAL or WARNING (always different hosts) and high rta-values (round trip average) and a lot of lost packages.
If one of these hosts is pinged from a different system (i.e. a work station), the ping returns a normal rtt (round trip times).
This very much looks like a cause for a complaint, since ARANSEC / CustoSec obviously does not work correctly. But this is wrong!
Usually the problem are switches or routers, that cannot handle the amount of ping's (2.000 in 120 seconds in this case, which is 16,7 ping's per second).

To solve this problem it is recommended to use the ICMP Free Packets Check.