Recently I’ve got a task of monitoring our site-to-site VPNs on some PIX firewalls (yeah, I know, we still use it in some locations). After a lot of researching I’ve found a working and quite decent solution for now. Monitoring specific syslog IDs for VPN disconnections looks like the way to go.
I’m going to start off with PIX and will add the ASA config when I lab it up.
Note: You need not setup logging lists if you are already monitoring error level logs and above because the log message ID that we explicitly want to log for our VPN monitoring is a warning level log. Hence my logging list has a separate critical (level 2) logging as the VPN monitoring isn’t covered under that level.
PIX firewall config:
logging enable logging timestamp logging list LIST_NAME level critical logging list LIST_NAME message 113019 logging trap LIST_NAME logging host inside 10.1.1.30
Message ID 113019 – (level 4) This syslog message ID is generated when the VPN tunnel is broken (for different reasons). Below I have some examples of cases in which you would see this log;
Jun 28 2014 17:15:28: %PIX-4-113019: Group = 126.96.36.199, Username = 188.8.131.52, IP = 184.108.40.206, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:06s, Bytes xmt: 400, Bytes rcv: 400, Reason: Administrator Reset Jun 28 2014 17:17:01: %PIX-4-113019: Group = 220.127.116.11, Username = 18.104.22.168, IP = 22.214.171.124, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:01m:10s, Bytes xmt: 400, Bytes rcv: 400, Reason: Idle Timeout Jun 28 2014 17:30:18: %PIX-4-113019: Group = 126.96.36.199, Username = 188.8.131.52, IP = 184.108.40.206, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:12m:43s, Bytes xmt: 400, Bytes rcv: 400, Reason: Lost Service
You also want to set the vpn-idle-timeout value to none on both ends of the tunnel or else your VPN tunnel, if idle for 30 minutes, will keep getting disconnected. That will generate the same syslog ID but with a different reason code (can be seen in above example). You can change this idle timeout in the default-group-policy or create a new group-policy and apply it to the tunnel-group. I would suggest you do the later.
group-policy VPN_POLICY internal group-policy VPN_POLICY attributes vpn-idle-timeout none exit tunnel-group 220.127.116.11 general-attributes default-group-policy VPN_POLICY exit
Syslogs as seen in Kiwi Syslog server:
ASA config and logs coming soon….