Forum Discussion

InfraTeam's avatar
InfraTeam
Icon for Making Connections rankMaking Connections
21 days ago
Solved

Is there a way to monitor CATO IPSec degraded status

Hello,

We recently enhanced our resilience on CATO side by switching from a single IPSec peering tunnel to a dual active/passive IPSec tunnel, enabling automatic failover in case of POP incident.

However, monitoring via the basic API request does not return a “Degraded” status; it only returns ‘Connected’ or “Disconnected”. The API request uses the Account Snapshot one.

Investigating deeper in the CATO API, it doesn't seem possible to get the “Degraded” status for IPSec connectivity.

Is this a limitation of the API?

Is an update to the API on CATO’s roadmap to monitor this status ?

 

Looking forward to your response.

Corentin

  • RobertG's avatar
    RobertG
    16 days ago

    Hi Corentin,

    Here is a slimmed down version of the query and variables required.

    query accountSnapshot ( $accountID:ID ) {
  accountSnapshot ( accountID:$accountID  ) {
    id 
    sites  {
      id
      connectivityStatusSiteSnapshot: connectivityStatus
      operationalStatusSiteSnapshot: operationalStatus
      lastConnected
      connectedSince
      popName
      infoSiteSnapshot: info  {
        name 

        ipsec  {
          isPrimary
          remoteIP
        }

      }
      degradedStatusSiteSnapshot: degradedStatus  {
        isDegraded 
        degradedDetails  {
          reason
          argsDegradedDetail: args  {
            __typename
            ... on DegradedStatusBasicDataArgs {
              deviceName 
              lastConnectedDate 
            }
            ... on DegradedStatusSocketArgs {
              deviceName 
              portID 
              portName 
              lastConnectedDate 
            }
            ... on DegradedStatusLastConnectedArgs {
              lastConnectedDate 
            }
            ... on DegradedStatusMultiTunnelArgs {
              deviceName 
              tunnelID 
              tunnelName 
              lastConnectedDate 
            }
            }

        }

      }
    }

    timestamp 
  }  
}
    {
    "accountID": "123456",
    "siteIDs": []
}

    I hope this helps,

    Rob

5 Replies

  • RobertG's avatar
    RobertG
    Icon for Cato Professional Services rankCato Professional Services
    20 days ago

    Hi Corentin,

    I just checked and the degraded status is able to be queried via the accountSnapshot in my lab, I setup an IPsec site and was able to get this working.

    But it is dependant on a new feature which is A/A tunnels this is currently in gradual rollout, in short when this feature is activated on your account you will have this degraded status available.

    "isDegraded": true,

    "degradedDetails": [

    {

    "reason": "IPSEC_MULTI_TUNNEL_TUNNEL_DISCONNECTED",

    "argsDegradedDetail": {

    "__typename": "DegradedStatusMultiTunnelArgs",

    "deviceName": "secondary",

    "tunnelID": "SECONDARY1",

    "tunnelName": "SECONDARY1",

    "lastConnectedDate": "2026-05-01T08:39:38Z"

    I hope this helps,

    Rob

  • InfraTeam's avatar
    InfraTeam
    Icon for Making Connections rankMaking Connections
    17 days ago

    Hello,

    Thanks for the reply.

    We do have this feature enabled on our CATO Tenant. But, that means this status is only parsable if I'm on an Active / Active tunnel configuration ?

    Actually, I'm on Active (Primary) / Passive (Secondary) IPSec tunnels.

    I don't get where are located those "is degraded" & "degraded details" fields on the GraphQL request...

    I don't find anything on the CATO documentation, or maybe i'm not skilled enough to understand where to find it.

    here is my GraphQL request : 

            query accountSnapshot($accountID:ID!) {

          accountSnapshot(accountID:$accountID) {

            sites {

              id

              connectivityStatus

              operationalStatus

              lastConnected

              connectedSince

              devices {

                connected

                version

              }

              info {

                name

                type

                connType

              }

            }

            timestamp

          }

        }

    Can you please help me ?

    Best Regards,

    Corentin

  • InfraTeam's avatar
    InfraTeam
    Icon for Making Connections rankMaking Connections
    17 days ago

    RobertG​ Update :

    Reading deeply the doc and using my brain (and a bit of AI but not that much !), I finally managed to understand a bit more how GraphQL works and imbricates sub-fields !

    I optimized the query to only request what we need, but I still don't get how to parse the "degradedDetails" sub-field : "args"

    I'm rejected, with a 422 ERROR.

    Here is my actual working query :

            query accountSnapshot($accountID:ID!) {
          accountSnapshot(accountID:$accountID) {
            sites {
              id
              connectivityStatus
              lastConnected
              connectedSince
              degradedStatus {
                isDegraded
                degradedDetails {
                  reason
                }
              }
              info {
                name
              }
            }
          }
        }

    But when I try to add the "args" field below "degradedDetails", it doesn't work anymore, compared to you, and the result you shared.

    Can you tell me how you do that please ?

    Best Regards,

    Corentin

    • RobertG's avatar
      RobertG
      Icon for Cato Professional Services rankCato Professional Services
      16 days ago

      Hi Corentin,

      Here is a slimmed down version of the query and variables required.

      query accountSnapshot ( $accountID:ID ) {
  accountSnapshot ( accountID:$accountID  ) {
    id 
    sites  {
      id
      connectivityStatusSiteSnapshot: connectivityStatus
      operationalStatusSiteSnapshot: operationalStatus
      lastConnected
      connectedSince
      popName
      infoSiteSnapshot: info  {
        name 

        ipsec  {
          isPrimary
          remoteIP
        }

      }
      degradedStatusSiteSnapshot: degradedStatus  {
        isDegraded 
        degradedDetails  {
          reason
          argsDegradedDetail: args  {
            __typename
            ... on DegradedStatusBasicDataArgs {
              deviceName 
              lastConnectedDate 
            }
            ... on DegradedStatusSocketArgs {
              deviceName 
              portID 
              portName 
              lastConnectedDate 
            }
            ... on DegradedStatusLastConnectedArgs {
              lastConnectedDate 
            }
            ... on DegradedStatusMultiTunnelArgs {
              deviceName 
              tunnelID 
              tunnelName 
              lastConnectedDate 
            }
            }

        }

      }
    }

    timestamp 
  }  
}
      {
    "accountID": "123456",
    "siteIDs": []
}

      I hope this helps,

      Rob