Highlighted
Bernd Kallweit_ Absent Member.
Absent Member.
405 views

Handling of VPN devices

Hi,

I would like to get some ideas to let DDM-I manage the following situation.

I need to manage laptops that are for longer periods of time not connected to their primary network. Instead, they are connected from time to time through a VPN tunnel.

Discovering and scanning the laptops on the primary network is ok. DHCP is used to assign IPs, and I have configured ARP table read for the DHCP servers.

When the laptop connects through VPN it uses its VPN interface with an IP assigned by the VPN gateway. I can ping-sweep the VPN IP range and find devices there.

But when DDM-I finds out (through a scan) that the VPNed device IP belongs to a device it already knows DDM-I combines the two. If I discover the same VPN IP again, DDM-I remembers this and does not seem to try to handle this IP as a separate device.

My questionis:
How can I get DDM-I to handle devices that use (at different points in time) different interfaces in different IP ranges?

Thanks!

Bernd
Tags (1)
0 Likes
9 Replies
Steven R Lee
New Member.

Re: Handling of VPN devices

The DDM I merging logic is handling the devices as expected. The logic tries in many ways to maintain the device as one device to aviod duplications in the DDM I Database.

If the desire is to seprate the same device from the primary network when connected by a VPN connection then you might want to look at a small server to handle just VPN ip addresses.

There is some ways to configure the scan file merging with the discovered device but I think if you want to handle them sepratly that might be the best option.
0 Likes
Bernd Kallweit_ Absent Member.
Absent Member.

Re: Handling of VPN devices

Hi Steven,

Thanks for your reply.

I need to talk to my client about a secondary DDM-I server to handle VPN devices.

Can you elaborate a bit on how to configure the scan file merging?

0 Likes
Absent Member.. MTWalsh Absent Member..
Absent Member..

Re: Handling of VPN devices

I would avoid tampering with the merge process. A 2nd DDMi server might serve you better.

Can I ask, what is the reason why they would want to see the same device represented as two different devices like that. What is the question you need to answer.

Are you bringing the data in to Asset Manager? If so, and if you have the reconciliation module, you can configure the CIT scenario to let you know, via reconciliation proposals, when an IP changes on a device.

Another way you could show something like this is to simply turn on history on the amComputer.TcpIpAddress field in AssetManager (whether you have the reconciliation proposal module or not).

DDMi is not supposed to be a long term management of assets application, it shows a snapshot of the environment as it is now, not over time. If you need to show things over time like that, the right place to do it would be in Asset Manager.

0 Likes
Bernd Kallweit_ Absent Member.
Absent Member.

Re: Handling of VPN devices

Actually, I try to avoid seeing the same device represented as multiple devices. I would want to manage a device with the IP/MAC it is currently able to communicate with.
This would allow to track the devices while they are not connected to the primary network.

DDM-I seems to scan IPs in the VPN range only if the particular IP hasn't yet been added to a device's list of IPs. If the IP is already part of a known device DDM-I will try that device's preferredIPAddress and never rescan the IP in the VPN range, even if it has been reassigned to another device.

It might help if I could get the ARP table of the VPN DHCP server; but I'm not sure if that's possible.

The client doesn't use AssetManager (yet). We are replicating device data into ServiceManager through UCMDB.
0 Likes
Absent Member.. MTWalsh Absent Member..
Absent Member..

Re: Handling of VPN devices

You could try reducing your purge interval. That might get them out of there more quickly and let the get completely rediscovered as new devices on the VPN more quickly.
0 Likes
Matthew Darwin Absent Member.
Absent Member.

Re: Handling of VPN devices

Suggest you look at some of the features in DDMI v 7.60 which handle VPNs better.
0 Likes
Bernd Kallweit_ Absent Member.
Absent Member.

Re: Handling of VPN devices

Cheers, yes, the new version looks quite promising; perhaps it solves the issues I have. Already installed it last week.
0 Likes
Karen G Absent Member.
Absent Member.

Re: Handling of VPN devices

Hello,

Version 7.6 contains code to address this issue. Adjusting the merge parameters will not address the core issue where DDMi in earlier versions merged the asset on IP address. Since many assets share the same DHCP IP pool, assets were merged together that should not have been merged. The process DDMi will now use is the following. An asset is written to the database with its IP address. When a different asset arrives with the same IP address, the new asset is added to the database with the IP address. The original asset remains in the database but its IP adddress field is cleared.
0 Likes
Bernd Kallweit_ Absent Member.
Absent Member.

Re: Handling of VPN devices

.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.