accounting for VPN access through a PIX

Unanswered Question
Apr 16th, 2002
User Badges:

I am trying to get accounting working for my users who connect to my PIX with the VPN3000 client. The users are authenticated using tacacs to mu ACS server. I want to include accounting. Here is what I use for authentication

aaa-server vpnauth protocol tacacs+

aaa-server vpnauth (inside) host secret timeout 20

crypto map CanadaMap client authentication vpnauth

When I add the following line I still do not get any accounting information.

aaa accounting include any inbound 0 0 0 0 vpnauth

Any ideas ??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ciscomoderator Tue, 04/23/2002 - 16:54
User Badges:
  • Gold, 750 points or more

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

xantic Wed, 07/31/2002 - 22:16
User Badges:


Its the bug with the Cisco Secure ACS v 3.0. Here's the solution given on the Cisco web site:-


In CSNT 3.0, tacacs+ accounting packets are being logged in the

tacacs+ administration logs instead of tacacs+

accounting logs for some devices such as the pix & switch.


To make CSNT 3.0 work like previous versions,

stop CSNT services, back up the registry, & run regedit to

make the changes below:


Accounting filter=preV3_tacacsAccountingFilter



Then restart the services.




This Discussion