Is there any way to remotely (read: without human interaction for automated purposes) monitor PIX VPN sessions? I've seen a few posts similar to this subject, but nothing concrete was mentioned.
I have a PIX 515 running 6.2(1) that terminates around 60 VPN sessions from various PIX 501's and 506's as well as close to 40 Road Warriors. In a mater of months this device could be terminating a couple hundred 501's and 506's as well as a couple hundred Road Warriors.
My concern is being able to monitor the static VPN connections from my 501's and 506's to be able to generate uptime statistics and network monitoring reports. I want to be able to accurately tell when a static VPN session went down and how long it was down for. At the moment I'm using ICMP pings to determine if the link is active or not, but this isn't very accurate unless it's a constant stream of pings.
Is anyone familiar with a product or a method to be able to determine this information? Will there be a new feature introduced in 6.3 or even 6.2(3) that might be able to accommodate this type of monitoring?
I do currently have logging enabled on the PIX, BUT there are no system messages that get generated when a remote peer is connected or disconnected from the PIX, which makes it fairly impossible to keep track of when exactly a remote VPN peer gets disconnected.
The PDM will be useless since it can't be checked through remote automated systems. I've also had no luck with SNMP Traps reporting the disconnection and connection of a remote VPN peer, but perhaps I'm missing something.
I've also been unable to find information regarding Cisco Secure Policy Manager to see if it will work for what I want to do.
Basically, what I need to do is be able to determine how long a VPN peer was offline for, what time they connected back to the PIX and what time they get disconnected from the PIX.
I think you may be able to do this using some debug commands. As I recall when I am trying to troubleshoot the vpn setup one the debug commands gives me setup and teardown information. Then using the syslog functionality I think you can output the debug information to your syslog server with the time stamp (not sure what logging level you will need for the debug stuff).
That could be a possibility.. but it opens up a whole new can of worms.
To be able to have the debug information recorded to the syslog server, I would have to have the PIX sending all debug level messages.
For a small site this would be fine, but if you have alot of traffic going through your PIX, you could easily log a couple hundred MB of data per day, as well as completely run out of all the 256-byte memory blocks used for syslog and failover messages. (as described here: http://www.cisco.com/warp/customer/110/pixperformance.html )
This page recommends logging at level 5 (Notification) or lower only unless you require the data for debugging purposes. Running in debug mode in a production evironment is never something someone should do for an extended period of time (if at all!)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :