How to get the traffic split up in VPN 3000 Concentrator?

linker.team · ‎12-11-2006

Hi,

Requirement:

I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.

Issue:

I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,

<189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested

My Question:

Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?

Please help me in getting this issue resolved.

Thanks to all helping me to resolve the issue.

Thanks.

thomas.chen · ‎12-18-2006

Enable split tunneling on the VPN Concentrator.

Navigate to Configuration > Traffic Management > Policy Management > Network Lists and create a network list to define the traffic you want to pass across the tunnel.

Go to Configuration > User Management > Groups, select the group and click MODIFY.

Click the Mode/Client Config tab, and set up the split tunneling.

Point the VPN Concentrator's tunnel default gateway to a router on the inside. Access this setting by navigating to Configuration > System > IP Routing > Default Gateways

linker.team · ‎12-19-2006

Hi Thomas,

Thank you for your prompt reply. My problem is not yet resolved after following your configuration changes. Split tunneling allows me to reach other LAN networks which is not configured in Cisco VPN Concentrator as local proxy server.

My environment is like the one below, user can connect thro' Cisco VPN concentrator to reach 192.168.230.0 network. After connecting thro' VPN Client, I can Telnet & FTP one of the machine 192.168.230.120. But the Telnet & FTP transaction logs still not printed in logs. It only gives the consolidated Sent & RCVD bytes when i disconnect the client.

Hope my requirement is clear now. Please help me in getting the logs that i need.

Thanks.

kamal-learn · ‎12-26-2006

hi

i think that you know that there is several level to log into your log server starting i think from 0 trough 7 i think the last one is debugging , if you enable the last one you will get all what under that number i.e logging level 7 give you also 6 5 4..1 but if you log 2 you will get 2 1.. and not 3 4 5 6... so try to do a research on that subject and enable the appropriate one i think you will get all your loggings.

HTH

Pls do rate the post if it does help

shannong · ‎01-04-2007

You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.

The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.

Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.

-Shannon

5220 · ‎01-07-2007

Hi,

You should enable accounting on your VPN Concentrator to a Radius Server.

Check http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1dba.html#1018035

This will not affect the authentication or normal access of the clients.

Please rate if this helped.

Regards,

Daniel