[Day #77 PyATS Series] Automate Site-to-Site VPN Status Checks (IPSec/DMVPN) Using pyATS for Cisco [Python for Network Engineer]

Introduction on the Key Points

Ensuring the availability and stability of site-to-site VPNs (IPSec or DMVPN) is crucial for maintaining secure inter-site communications in enterprise networks. Manual VPN status checks are labor-intensive and error-prone, especially in large-scale environments with multiple tunnels and devices.

In this advanced Article, we will focus on automating the validation of site-to-site VPN status using pyATS, designed for Cisco IOS-XE and IOS devices. This provides network engineers with a structured, repeatable solution to verify IPSec/DMVPN tunnels’ health through CLI and GUI validation.

This masterclass workflow empowers network engineers to build automated audits that:

• Validate IPSec/DMVPN tunnel state.
• Ensure cryptographic configuration consistency.
• Report failures immediately for proactive troubleshooting.

As part of your journey toward becoming a Python for Network Engineer, automating VPN health checks ensures scalability, operational efficiency, and strong SLA compliance.

Topology Overview

• Site A (Hub Router): Centralized DMVPN hub handling multiple spoke connections.
• Site B (Spoke Router): Initiates DMVPN connection to the hub.
• The Automation Server runs the pyATS validation scripts post-deployment or periodically to verify VPN health.

Objectives:

• Validate tunnel status (up/down).
• Check cryptographic parameters and policies.
• Confirm IP reachability across the tunnel.

Topology & Communications

Communication Workflow:

1. Automation server connects to both Site A and Site B routers over SSH.
2. Executes key CLI commands:
   • show crypto isakmp sa
   • show crypto ipsec sa
   • show dmvpn
   • ping tests across tunnel endpoints.
3. Parses outputs into structured data.
4. Validates:
   • ISAKMP/ IPsec SAs are active.
   • DMVPN NHRP states show active spokes.
   • End-to-end ping succeeds across sites.
5. Optionally, captures GUI dashboard screenshots to visually confirm tunnel status.

Workflow Script

from genie.testbed import load
from pyats.aetest import Testcase, test, main

EXPECTED_STATUS = {
    "isakmp_sa_state": "ACTIVE",
    "ipsec_sa_state": "ACTIVE",
    "dmvpn_state": "up"
}

class VPNStatusValidation(Testcase):

    @test
    def connect_and_fetch(self, testbed):
        self.vpn_data = {}
        hub_device = testbed.devices['hub_router']
        spoke_device = testbed.devices['spoke_router']

        hub_device.connect(log_stdout=False)
        spoke_device.connect(log_stdout=False)

        self.vpn_data['hub_isakmp'] = hub_device.execute('show crypto isakmp sa')
        self.vpn_data['hub_ipsec'] = hub_device.execute('show crypto ipsec sa')
        self.vpn_data['hub_dmvpn'] = hub_device.execute('show dmvpn')

        self.vpn_data['spoke_isakmp'] = spoke_device.execute('show crypto isakmp sa')
        self.vpn_data['spoke_ipsec'] = spoke_device.execute('show crypto ipsec sa')
        self.vpn_data['spoke_dmvpn'] = spoke_device.execute('show dmvpn')

        self.vpn_data['ping_test'] = hub_device.execute('ping 10.10.10.2')

    @test
    def validate_isakmp_sa(self):
        hub_sa = self.vpn_data['hub_isakmp']
        spoke_sa = self.vpn_data['spoke_isakmp']

        assert EXPECTED_STATUS['isakmp_sa_state'] in hub_sa, "FAIL: Hub ISAKMP SA not ACTIVE"
        assert EXPECTED_STATUS['isakmp_sa_state'] in spoke_sa, "FAIL: Spoke ISAKMP SA not ACTIVE"
        print("PASS: ISAKMP SAs are active on both Hub and Spoke.")

    @test
    def validate_ipsec_sa(self):
        hub_ipsec = self.vpn_data['hub_ipsec']
        spoke_ipsec = self.vpn_data['spoke_ipsec']

        assert EXPECTED_STATUS['ipsec_sa_state'] in hub_ipsec, "FAIL: Hub IPsec SA not ACTIVE"
        assert EXPECTED_STATUS['ipsec_sa_state'] in spoke_ipsec, "FAIL: Spoke IPsec SA not ACTIVE"
        print("PASS: IPsec SAs are active on both Hub and Spoke.")

    @test
    def validate_dmvpn_state(self):
        hub_dmvpn = self.vpn_data['hub_dmvpn']
        spoke_dmvpn = self.vpn_data['spoke_dmvpn']

        assert EXPECTED_STATUS['dmvpn_state'] in hub_dmvpn, "FAIL: Hub DMVPN state not up"
        assert EXPECTED_STATUS['dmvpn_state'] in spoke_dmvpn, "FAIL: Spoke DMVPN state not up"
        print("PASS: DMVPN state is up on both Hub and Spoke.")

    @test
    def validate_ping(self):
        ping_output = self.vpn_data['ping_test']
        assert "Success rate is 100 percent" in ping_output, "FAIL: Ping test across VPN failed"
        print("PASS: End-to-end ping across VPN is successful.")

if __name__ == '__main__':
    main()

Explanation by Line

• EXPECTED_STATUS: Defines expected state strings (ACTIVE or up) for ISAKMP, IPsec, and DMVPN.
• connect_and_fetch():
  • Connects to hub and spoke routers via SSH.
  • Executes CLI commands to retrieve ISAKMP SA, IPsec SA, and DMVPN states.
  • Conducts ping tests for end-to-end reachability.
• validate_isakmp_sa(): Validates that ISAKMP SAs are ACTIVE on both devices.
• validate_ipsec_sa(): Ensures that IPsec SAs are ACTIVE on both hub and spoke.
• validate_dmvpn_state(): Confirms that DMVPN state is up (active).
• validate_ping(): Checks that 100% ping success confirms tunnel operation.

testbed.yml Example

testbed:
  name: vpn_status_testbed
  credentials:
    default:
      username: admin
      password: Cisco123

devices:
  hub_router:
    os: iosxe
    type: router
    connections:
      cli:
        protocol: ssh
        ip: 192.168.200.1

  spoke_router:
    os: iosxe
    type: router
    connections:
      cli:
        protocol: ssh
        ip: 192.168.200.2

Post-validation CLI (Real expected output)

show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.200.2   192.168.200.1   ACTIVE        1       QM_IDLE

show crypto ipsec sa

interface: Tunnel1
   Crypto map tag: VPN-MAP, local addr 192.168.200.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.200.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.200.2/255.255.255.255/47/0)

   current_peer: 192.168.200.2
   #pkts encaps: 1200, #pkts encrypt: 1200, #pkts digest: 1200
   #pkts decaps: 1150, #pkts decrypt: 1150, #pkts verify: 1150

show dmvpn

DMVPN Phase 3 Network Status
Tunnel0: NHRP Registered
NHRP Neighbors:
192.168.200.2    100.1.1.2  up

ping 10.10.10.2

Sending 5, 100-byte ICMP Echoes to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/5 ms

FAQs

Q1. Why is automating site-to-site VPN status checks important in network operations?
A1. Site-to-site VPNs (IPSec, DMVPN) are critical for securely connecting branch offices, data centers, and remote sites. Automating status checks ensures continuous availability, detects tunnel failures proactively, and helps maintain secure communication without manual intervention.

Q2. How does pyATS help in automating VPN status validation?
A2. pyATS connects to VPN endpoints, executes commands like show crypto session, show dmvpn, and parses the output to check tunnel status, peer reachability, encryption status, and uptime. Structured reports are generated indicating healthy or problematic VPN states.

Q3. Which commands are commonly used to check IPSec and DMVPN status on Cisco devices?
A3.

• For IPSec:
  • show crypto session
  • show crypto isakmp sa
• For DMVPN:
  • show dmvpn
  • show nhrp detail
    These commands provide detailed session, tunnel, and peer status information.

Q4. Can pyATS handle multi-vendor VPN status checks?
A4. Yes. By implementing vendor-specific parsers or templates, pyATS can retrieve and validate VPN status for other vendors like Arista, Juniper, Fortinet, etc., making the solution vendor-agnostic and scalable.

Q5. How are VPN tunnel failures reported in pyATS automation results?
A5. Failures are flagged in detailed JSON or HTML reports. Each VPN tunnel is listed with key parameters such as session status, encryption, peer IP, uptime, and failure reason. Reports are designed to quickly highlight problematic tunnels for easy remediation.

Q6. Can pyATS automation be scheduled to run periodically?
A6. Yes. Using cron jobs, Jenkins pipelines, or scheduled workflows in automation platforms (like Ansible Tower), pyATS jobs can run periodically to continuously monitor VPN health and detect issues in near real-time.

Q7. How does automating VPN status validation improve network reliability?
A7. Automation ensures consistency and faster fault detection than manual checks. It reduces human error, provides audit trails, and enables immediate alerting or remediation actions, increasing uptime and security across critical site-to-site VPN links.

YouTube Link

Watch the Complete Python for Network Engineer: Automate Site-to-Site VPN Status Checks (IPSec/DMVPN) Using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Join Our Training

Congratulations on mastering Day #77 of the pyATS Series by automating site-to-site VPN status validation using pyATS. You’ve learned to build scalable, automated workflows that improve operational efficiency and reduce manual toil.

However, there’s much more to mastering network automation and building robust solutions.

Trainer Sagar Dhawan’s 3-month Instructor-Led Training Program offers deep expertise in structured automation, Python scripting, Ansible playbooks, and API-driven network management.

Explore full course outline:
Python Ansible API Cisco DevNet for Network Engineers – 3-Month Training

Join now and transform your career into a highly productive Python for Network Engineer expert.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088