Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX VPN Accounting

Hi,

Is there any way to get the PIX to do accounting for VPN connections. I currently have it set up to do VPN authentication via radius, but once it authenticates, nothing is sent from the pix via the radius-acct port (1813) to indicate success/failure etc. I know you can account other services like ssh/telnet/http connections TO the pix itself or through it. I tried "rigging" it by accounting any connections to udp/4500, but that didn't seem to work. There doesn't seem to be any command to enable vpn accounting, at least not that I could find. If anyone has any ideas it would be appreciated. I'm running a PIX 515e w/6.3 and using Freeradius running on Linux.

Thanks.

- John

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: PIX VPN Accounting

John,

Unfortunately, what you are trying to collect is not possible as of yet. Thanks,

Mynul

4 REPLIES
Silver

Re: PIX VPN Accounting

John,

It is possible to do xauth accounting. Please refer to the following tech tip:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008010a206.shtml#howto3

Note: The sysopt connection permit-ipsec command, not the sysopt ipsec pl-compatible command, is necessary for xauth accounting to work. Xauth accounting does not work with only the sysopt ipsec pl-compatible command. Xauth accounting is valid for TCP connections, not ICMP or UDP.

Thanks,

Mynul

New Member

Re: PIX VPN Accounting

Hi and thanks for replying. That just seemed to account all tcp connections passing through the PIX via VPN after the authentication. It did not account the actual client VPN authentication and connection to the PIX. :(

I tried from a client that does transparent tunneling from behind another firewall and a client not behind a firewall, and no accounting info was sent from the VPN PIX at all. Any other suggestions or maybe this kind of accounting is not available for the PIX right now, since it probably was meant to do mainly site-to-site VPNs and not client-to-PIX?

Thanks again,

- John

Silver

Re: PIX VPN Accounting

John,

Unfortunately, what you are trying to collect is not possible as of yet. Thanks,

Mynul

New Member

Re: PIX VPN Accounting

Thanks!

Time to call the account rep....

110
Views
0
Helpful
4
Replies