What's new

WAN Dropout/Flap detection & reporting

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lianthar

Occasional Visitor
Hi - I have just bought a new Asus RT-AX88u and am running the latest Merlin FW.

I am looking for an easy way to report on all WAN dropouts/flaps? Is there a way to do this? Is there a specific log entry or entries to look for that will show both quick flaps and longer (minutes) long dropouts of the Internet service?

Thanks in advance
 
What's a flap?
 
Did you just make that Wiki entry? :D
 
Did you just make that Wiki entry? :D

"port flapping" is actually a known term in networking, it describes when a port keeps alternating between up/down states.
 
Sorry, just trying to make a funny. I knew the Wiki entry was real. :)

But this is the first time I've heard this term.
 
I am looking for an easy way to report on all WAN dropouts/flaps? Is there a way to do this? Is there a specific log entry or entries to look for that will show both quick flaps and longer (minutes) long dropouts of the Internet service?

I wish there were (distinguishing router fails vs flapping)... due to a less than stellar upstream provider, I've spent more time than I'd like on the cl running down their flapping routes and misconfigured BGP issues before I start looking at the local router on my end...

if you or anyone else has any tips - I'd appreciate hearing them, too...
 
I wish there were (distinguishing router fails vs flapping)... due to a less than stellar upstream provider, I've spent more time than I'd like on the cl running down their flapping routes and misconfigured BGP issues before I start looking at the local router on my end...

if you or anyone else has any tips - I'd appreciate hearing them, too...
I was hoping someone with advanced knowledge on how to parse the syslog for the right type of entries might be able to advise? Another option I was considering was seeing if my DDNS name could be monitored using an external website monitoring service. Anyone tried that approach?
 
The only relevant entries in the syslog that I can think of are like these:

Dec 1 13:09:27 WAN(0)_Connection: Ethernet link up.
Dec 1 13:09:33 WAN(0)_Connection: WAN was restored.


Although this mostly works for outages that last a reasonable amount of time I've found that it doesn't show the "link down" messages for brief outages (flapping).
 
Although this mostly works for outages that last a reasonable amount of time I've found that it doesn't show the "link down" messages for brief outages (flapping).
Yep - same here. I can see brief outages on my connected devices but these don't seem to show as something I can pinpoint in the logs. Longer outages do get ISP DHCP error messages.

I do have dual-WAN enabled now (to a backup modem) and that uses the DNS method to detect a failover state. Maybe that same DNS method could be used to monitor WAN status in general and provide a summary of failures somewhere?
 
You can of course write a custom script that does whatever you want if you're prepared to do the work. For example people have written scripts that email them when there has been a loss of internet. It depends on exactly what you're trying to do. Detecting a lack of internet can be done easily enough with pings, but that's not the same as detecting a flapping port (which I thought was what you wanted).
 
I've come up with a solution of sorts that works for me. The failover detection (using DNS method) for Dual-WAN meets my criteria to detect what I am looking for in terms of dropouts - ie: Detect Interval: Every 5 seconds / Failover Trigger Condition: When the current WAN fails 12 continuous times, failover to Secondary WAN.

When the WAN does failover a DDNS update is forced and that is recorded in the syslog: eg.
Dec 2 11:46:15 inadyn[23380]: Update forced for alias xxxxxx.ddns.net, new IP# xxx.xxx.xxx.xxx

My failover modem uses a different IP range so it is easy for me to see when I have failed over to the secondary WAN link.

So if I write the syslog out to a server and just look for any entries where DDNS updates point to the failover WAN IP range.
 
When the WAN does failover a DDNS update is forced and that is recorded in the syslog: eg.
Dec 2 11:46:15 inadyn[23380]: Update forced for alias xxxxxx.ddns.net, new IP# xxx.xxx.xxx.xxx

My failover modem uses a different IP range so it is easy for me to see when I have failed over to the secondary WAN link.

So if I write the syslog out to a server and just look for any entries where DDNS updates point to the failover WAN IP range.
This SyslogEventMonitor.sh script may get you started....

The crude script continuously monitors Syslog for defined trigger messages, but can be inefficient if you have a busy Syslog i.e. the script will process every message.

You can of course install
to only write the trigger messages to a separate syslog-ng filter file. Subsequently a simple change in the script to monitor the appropriate syslog-ng filter file (rather than Syslog) will improve the efficiency of the script as it will only execute the script's logic when the specific syslog-ng filter file is physically updated.
 
Syslog will on report if the Ethernet link to the modem goes down, or if a PPPoE session is terminated. It won't report if your ISP suddenly stops routing traffic.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top