VPN logging

Unanswered Question
Feb 27th, 2009
User Badges:

I have a cisco pix 506 and 9 cisco pix 501's the pix 506 is the main firewall that all the 501's VPN into... I have started logging on my pix 506:


ABVALVE-PIX(config)# show log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level errors, 337472 messages logged

Logging to inside 10.9.2.8

History logging: disabled

Device ID: disabled


History logging: disabled

Device ID: disabled


all i am getting in this log is alot of what you see below:


2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:30: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4037 dst outside:198.107.148.254/443

2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:35: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4038 dst outside:198.107.148.254/443

2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:40: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4039 dst outside:198.107.148.254/443


1. is there any way to ignore these?

2. When one of my VPN connections drop are the 506 loses connection to one of the 501'a I am not seeing a log for that even... is there any way to log VPN drops and reconnects.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
adamclarkuk_2 Fri, 02/27/2009 - 07:33
User Badges:
  • Silver, 250 points or more

Here is what that error means


%PIX-3-305005 (x1): No translation group found for protocol src interface_name:dest_address/dest_port

dst interface_name:source_address/source_port


Explanation: A packet does not match any of the outbound nat command rules.


Recommended Action: This message indicates a configuration error. If dynamic

NAT is desired for the source host, ensure that the nat command matches the source

IP address. If static NAT is desired for the source host, ensure that the local

IP address of the static command matches. If no NAT is desired for the source

host, check the ACL bound to the NAT 0 ACL.


I dont think you can log VPN drops/reconnects on the PIX ( someone will correct me if I'm wrong).


IF you need to know when a VPN is down, setup a Monitor server that sends ICMP down the other head of the tunnels from your headoffice and that can report to you when a tunnel has dropped and re established.


There are plenty of free ones out there :-


www.nagios.org for instance.

Danny Guillory Jr Fri, 02/27/2009 - 07:37
User Badges:

Thank you for your response. But i do Understand what that error means and WHY i am getting it. we do NOT use nat here in my network.


so the question was is there a way to have logging ignore that? if not its ok i can deal with it logging that. my main concern is logging the VPN connections when they drop and reconnect.


any ideas?

adamclarkuk_2 Fri, 02/27/2009 - 07:40
User Badges:
  • Silver, 250 points or more

Sorry I updated my post afer you replied.


If you have no nat, try turning off nat control with the no nat-control command ( version 7 upwards)

Danny Guillory Jr Fri, 02/27/2009 - 07:47
User Badges:

I am using IpSwitch as my network monitor.


Problem is at my data center the pipe coming to my rack goes to a small none managed network HUB then to my pix it goes to the network hub 1st b/c we have 1 drop that is redundant from the DC. so i have 2 cat5 cables that are handed down to my rack.


that plug into the hub, from the hub to my pix 506. e0 of course. i need to know by logging if the pix is dropping connection... if its not then its the hub. I am trying to isolate the problem to the pix are the hub.


for instanse last night at 306am all 9 of my VPN's dropped connection and were back online at 307am. so what hiccuped the pix are the hub. by using logs i should be able to tell if the pix had a error and reset are hicupped.

Actions

This Discussion