In article , Cen wrote: :How do i track user login session into PIX via local authentication with :syslog. I was able to track authentication success syslog event whenever a :user logs in via VPN, but when the user disconnects the VPN session, no :corresponding syslog message was sent. :Any ideas?
Unless the VPN client sends a clean "I am shutting down now" message [and I do not know if those exist in IPSec], then VPNs cannot tell the difference between the user disconnecting cleanly, the user losing the network connection, or the user simply not sending anything.
IPSec does have a "Delete all Security Associations with this identity" token, but that token is used in contexts other than logout.
If you need more accurate track of when the user BSOD'd, then you should probably turn on some kind of keep-alive.