Monitoring Site-to-Site VPNs in ASA/PIX (Syslog)


Recently I’ve got a task of monitoring our site-to-site VPNs on some PIX firewalls (yeah, I know, we still use it in some locations). After a lot of researching I’ve found a working and quite decent solution for now. Monitoring specific syslog IDs for VPN disconnections looks like the way to go.

I’m going to start off with PIX and will add the ASA config when I lab it up.

Note: You need not setup logging lists if you are already monitoring error level logs and above because the log message ID that we explicitly want to log for our VPN monitoring is a warning level log. Hence my logging list has a separate critical (level 2) logging as the VPN monitoring isn’t covered under that level.

PIX firewall config:

logging enable
logging timestamp
logging list LIST_NAME level critical
logging list LIST_NAME message 113019
logging trap LIST_NAME
logging host inside 10.1.1.30

Message ID 113019 – (level 4) This syslog message ID is generated when the VPN tunnel is broken (for different reasons). Below I have some examples of cases in which you would see this log;

Jun 28 2014 17:15:28: %PIX-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:06s, Bytes xmt: 400, Bytes rcv: 400, Reason: Administrator Reset
Jun 28 2014 17:17:01: %PIX-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:01m:10s, Bytes xmt: 400, Bytes rcv: 400, Reason: Idle Timeout
Jun 28 2014 17:30:18: %PIX-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:12m:43s, Bytes xmt: 400, Bytes rcv: 400, Reason: Lost Service

You also want to set the vpn-idle-timeout value to none on both ends of the tunnel or else your VPN tunnel, if idle for 30 minutes, will keep getting disconnected. That will generate the same syslog ID but with a different reason code (can be seen in above example). You can change this idle timeout in the default-group-policy or create a new group-policy and apply it to the tunnel-group. I would suggest you do the later.

group-policy VPN_POLICY internal
 group-policy VPN_POLICY attributes
 vpn-idle-timeout none
 exit
tunnel-group 1.1.1.1 general-attributes
 default-group-policy VPN_POLICY
 exit

Syslogs as seen in Kiwi Syslog server:

Kiwi Syslog Server

 

ASA config and logs coming soon….

 

Advertisements

2 thoughts on “Monitoring Site-to-Site VPNs in ASA/PIX (Syslog)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s