Remotely Monitoring VPN Connections on a PIX

dro · ‎12-06-2002

Hey folks,

Is there any way to remotely (read: without human interaction for automated purposes) monitor PIX VPN sessions? I've seen a few posts similar to this subject, but nothing concrete was mentioned.

I have a PIX 515 running 6.2(1) that terminates around 60 VPN sessions from various PIX 501's and 506's as well as close to 40 Road Warriors. In a mater of months this device could be terminating a couple hundred 501's and 506's as well as a couple hundred Road Warriors.

My concern is being able to monitor the static VPN connections from my 501's and 506's to be able to generate uptime statistics and network monitoring reports. I want to be able to accurately tell when a static VPN session went down and how long it was down for. At the moment I'm using ICMP pings to determine if the link is active or not, but this isn't very accurate unless it's a constant stream of pings.

Is anyone familiar with a product or a method to be able to determine this information? Will there be a new feature introduced in 6.3 or even 6.2(3) that might be able to accommodate this type of monitoring?

Thanks,

-Joshua

beth-martin · ‎12-12-2002

Joshua,

Yes, it is possible to monitor most events. In brief, you need to do the following:

1) Enable logging function using the 'logging on' command.

2) Specify a syslog server using the 'logging host' command. (Storing log's locally is not a very good idea)

3) Use 'logging timestamps' command to timestamp every log message. (make sure you set your PIX clock)

4) Specify what messages need to be logged (by level)

Among other things, the messages received by the server can be used to create e-mail alerts.

A useful document to refer to would be "Cisco PIX Firewall System Log Messages, Version 6.2". It is located at the URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_book09186a00800ec903.html.

If this does not help, you could always turn to "The Cisco PIX Device Manager" (shipped free with PIX Firewall running software version 6.0(1) and higher), Cisco Secure Policy Manager or SNMP Traps.

HTH!

dro · ‎12-12-2002

Thanks for your reply.

I do currently have logging enabled on the PIX, BUT there are no system messages that get generated when a remote peer is connected or disconnected from the PIX, which makes it fairly impossible to keep track of when exactly a remote VPN peer gets disconnected.

The PDM will be useless since it can't be checked through remote automated systems. I've also had no luck with SNMP Traps reporting the disconnection and connection of a remote VPN peer, but perhaps I'm missing something.

I've also been unable to find information regarding Cisco Secure Policy Manager to see if it will work for what I want to do.

Basically, what I need to do is be able to determine how long a VPN peer was offline for, what time they connected back to the PIX and what time they get disconnected from the PIX.

Thanks for your suggestions.

-Joshua

ptiedemann · ‎12-12-2002

I think you may be able to do this using some debug commands. As I recall when I am trying to troubleshoot the vpn setup one the debug commands gives me setup and teardown information. Then using the syslog functionality I think you can output the debug information to your syslog server with the time stamp (not sure what logging level you will need for the debug stuff).

dro · ‎12-12-2002

That could be a possibility.. but it opens up a whole new can of worms.

To be able to have the debug information recorded to the syslog server, I would have to have the PIX sending all debug level messages.

For a small site this would be fine, but if you have alot of traffic going through your PIX, you could easily log a couple hundred MB of data per day, as well as completely run out of all the 256-byte memory blocks used for syslog and failover messages. (as described here: http://www.cisco.com/warp/customer/110/pixperformance.html )

This page recommends logging at level 5 (Notification) or lower only unless you require the data for debugging purposes. Running in debug mode in a production evironment is never something someone should do for an extended period of time (if at all!)

Thanks for your reply,

-Joshua