I have been tasked to setup some sort of monitoring so that we can tell what time a user connected/disconnected from the VPN.
We use a Pix515 in the main office and 506E in the remote offices. I have an ACS server in the main office as well. I can see when a user logs onto the VPN in the ACS server but no where does it tell me when they log off.
Any ideas would be greatly appreciated.
thanks
In article , sensei wrote: :I have been tasked to setup some sort of monitoring so that we can tell :what time a user connected/disconnected from the VPN.
:We use a Pix515 in the main office and 506E in the remote offices. I :have an ACS server in the main office as well. I can see when a user :logs onto the VPN in the ACS server but no where does it tell me when :they log off.
As far as the PIX is concerned, there isn't any such thing as "logging off" at the RADIUS or TACACS+ level. One authenticates against the RADIUS or TACACS+ server and that grants credentials for use as often or as little as the client needs. The PIX cannot tell that the client has closed the web browser or ftp client or whatever: all it can tell is that the credentials haven't been used in awhile.
Similarily, at the IPSec level, the PIX cannot tell that a client has gone home for the evening: all the PIX can tell is that the tunnel hasn't received any traffic. Unless you have enabled keep-alives, there isn't any difference between losing the connection and simply not using the connection.
I don't know if the Cisco Unity Client has a "goodbye" message that is sent when one closes the program. IPSec in general does not.
If we were to move to a vpn concentrator would that help???
Yes, full logs in the concentrator tho they do get over written so going back weeks sometimes even days is not an option.
well you could log them to an external syslog host
Would logging to a radius server be possible as well?
Regards, Christoph Gartmann
In article , Christoph Gartmann wrote: :>well you could log them to an external syslog host
:Would logging to a radius server be possible as well?
See my earlier message in this thread: unless the Unity client happens to have a "I'm leaving now" message when it is shutdown, then the PIX will not know that it is gone.
Hmmm, guess I could experiment on that a little at some point.
I've used kiwi syslog server on a external PC, and created some filters to log the lines below.
See the lines sa created and deleting SA
These are the config lines on a Cisco pix logging on logging timestamp logging buffered informational logging trap informational logging host inside 10.32.2.11 logging host inside 10.64.1.33
regards oTTo
=============LOG ON EXTERNAL PC===========================================================
2005-09-24 20:34:01 Local4.Info 10.64.1.254 Sep 24 2005 20:33:57: %PIX-6-109005: Authentication succeeded for user 'vpn-client' from 213.aaa.bbb.ccc (client) /0 to 82.xx.yy.zz (HQ.provider.nl) /0 on interface outside2005-09-24 20:34:01 Local4.Info 10.64.1.254 Sep 24 2005 20:33:57: %PIX-6-602301: sa created, (sa) sa_dest= 82.xx.yy.zz (HQ.provider.nl) , sa_prot= 50, sa_spi= 0xb6c9671b(3066652443), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 18
2005-09-24 20:34:01 Local4.Info 10.64.1.254 Sep 24 2005 20:33:57: %PIX-6-602301: sa created, (sa) sa_dest= 213.aaa.bbb.ccc (client) , sa_prot= 50, sa_spi= 0x5c7537e3(1551185891), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 172005-09-24 20:34:01 Local4.Critical 10.64.1.254 "Sep 24 2005 20:33:57: %PIX-2-109011: Authen Session Start: user 'vpn-client', sid 21"
2005-09-24 20:34:04 Local4.Info 10.64.1.254 Sep 24 2005 20:34:00: %PIX-6-602301: sa created, (sa) sa_dest= 82.xx.yy.zz (HQ.provider.nl) , sa_prot= 50, sa_spi= 0xbfdd2f32(3218943794), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 132005-09-24 20:34:04 Local4.Info 10.64.1.254 Sep 24 2005 20:34:00: %PIX-6-602301: sa created, (sa) sa_dest= 213.aaa.bbb.ccc (client) , sa_prot=
50, sa_spi= 0x559d29fc(1436363260), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 142005-09-24 20:36:20 Local4.Info 10.64.1.254 Sep 24 2005 20:36:16: %PIX-6-602302: deleting SA, (sa) sa_dest= 82.xx.yy.zz (HQ.provider.nl) , sa_prot= 50, sa_spi= 0xbfdd2f32(3218943794), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 13
2005-09-24 20:36:20 Local4.Info 10.64.1.254 Sep 24 2005 20:36:16: %PIX-6-602302: deleting SA, (sa) sa_dest= 213.aaa.bbb.ccc (client) , sa_prot= 50, sa_spi= 0x559d29fc(1436363260), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 142005-09-24 20:36:20 Local4.Info 10.64.1.254 Sep 24 2005 20:36:16: %PIX-6-602302: deleting SA, (sa) sa_dest= 82.xx.yy.zz (HQ.provider.nl) , sa_prot= 50, sa_spi= 0xb6c9671b(3066652443), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 18
2005-09-24 20:36:20 Local4.Info 10.64.1.254 Sep 24 2005 20:36:16: %PIX-6-602302: deleting SA, (sa) sa_dest= 213.aaa.bbb.ccc (client) , sa_prot= 50, sa_spi= 0x5c7537e3(1551185891), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 17=F2TT=F3 menuliskan:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D On pix 515 that use ios 7.0, mib already set for vpn monitoring even not enough but you will see another feature on logging that can set to send email abou vpn that used on vpn .
Other ways, only using log from pix syslog server, grep username login and create tunnel to email server that send the information to us.
dendi--
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.