We use a similar logic to achieve the same thing. We have 3 sets of alerts, one that looks like this:
AlertingGroup is equal to Voice
Node Status is equal to Down
With a trigger time of 10 minutes. And a second one that looks like this:
AlertingGroup is equal to Network
Packet Loss is greater than or equal to 50%
With a trigger time of 5 minutes. And the third one that looks like this:
Packet Loss is greater than or equal to 80%
And Any of the following:
- AlertingGroup is equal to Systems
- AlertingGroup is empty
With a trigger time of 10 minutes.
Each of the alerts goes to a different group.
Another option to consider is dependencies. If you can monitor a router or a switch on the other side of the VPN, or treat the VPN tunnel as a host somehow, then you can make the remote sites dependent on that host. This will change the remote hosts' state from DOWN to UNKNOWN when the tunnel goes down, and will not trigger a "down" alert, except for the tunnel.
