f



IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels,
one of the nodes has been upgraded to an ASA 5510 to increase performance.
I have migrated the config according to the book, and everything is
running fine, but the new ASA is spamming my central log server with
messages like this:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>.  The decapsulated inner 
packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as <asa-client>, its source as <src>, and its protocol as 1.  The SA 
specifies its local proxy as <asa-client-net>/<asa-client-netmask>/0/0 and its remote_proxy as <pix-client-net>/<pix-client-netmask>/0/0.

where <src> is either
- an IP address which doesn't match any access-list entry in the sending
   PIX' config and therefore shouldn't have been encapsulated in the first
   place, or
- an IP address which does match one of several access-list entries for
   the crypto map on the receiving ASA, but the log message lists a
   different, non-matching entry of the same access-list.

Example for the second case because I'm not sure my description is very
clear:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAB0323B4, sequence number= 0x127) from <pix-ip> (user= <pix-ip>) to <asa-ip>.  The decapsulated inner 
packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 192.168.1.101, its source as 10.111.1.2, and its protocol as 1. 
The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.0.0/0/0.

where the relevant access-list is:

access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.111.1.0 255.255.255.0
access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip host <asa-ip> 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip 192.168.246.0 255.255.255.0 10.111.1.0 255.255.255.0
crypto map vpnmap 40 match address pixtoasa

What might cause this and, more importantly, how can I get rid of it,
short of saying "no logging message 402116"?

aTdHvAaNnKcSe
Tilman

-- 
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
0
1/24/2008 10:49:04 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

0 Replies
622 Views

Similar Articles

[PageSpeed] 57

Reply:

Similar Artilces:

Cisco VPN Client 4.0 versus PIX 501 trough MS ISA
Gents, I hope someone on the Group knows ISA as well as Cisco ;-) We use the Cisco VPN client to connect to a PIX 501. The client is set to use IPSec over UDP. With the client directly on the Internet (no firewall between client and PIX) the connection is flawless. With the client behind an MS ISA server we get a connection but no traffic between the client and the network behind the PIX! On the ISA server I created Protocol Definitions UDP Ports 500/4500/10000 with Send/Receive. The only differents I see on the vpn client is that when connecting through the ISA server: Bytes Received 0 Send ...

Cisco pix 501 vs 501-50
What is the primary difference between a pix 501 and 501-50? "cdoc" <cdoc@msoms.com> wrote in message news:P2sbg.49236$Kn4.1009@bignews2.bellsouth.net... > What is the primary difference between a pix 501 and 501-50? 10 vs 50 users I assume that is concurrent vpn users correct? Jonathan Roberts wrote: > "cdoc" <cdoc@msoms.com> wrote in message > news:P2sbg.49236$Kn4.1009@bignews2.bellsouth.net... >> What is the primary difference between a pix 501 and 501-50? > > 10 vs 50 users > > "cdoc" <cdoc@msoms.com> wr...

How do I upgrade the IOS on a Cisco Pix firewall from 4.4 to 6.3?
Hi Everyone, The very first time I saw a Cisco Pix firewall was three days ago when my boss put one on my desk and asked me to upgrade it to 6.35. I have managed to deduce that it is currently running version 4.4, I have configured an interface so that I can connect to tftp server but I can find no command to upload the new binary file. I would normally have expected a 'copy' command if this was a router. Can anyone point me in the right direction please? Thanks, Danny... In article <1157928388.377345.52190@q16g2000cwq.googlegroups.com>, <Daniel.Peaper@gmail.com> wrote: >The very first time I saw a Cisco Pix firewall was three days ago when >my boss put one on my desk and asked me to upgrade it to 6.35. >I have managed to deduce that it is currently running version 4.4, I >have configured an interface so that I can connect to tftp server but I >can find no command to upload the new binary file. I would normally >have expected a 'copy' command if this was a router. Can anyone point >me in the right direction please? How's your relationship with your boss? Because what you should do is tell him that the upgrade is more trouble than it is worth (or not possible at all) See below. PIX Classic: cannot be done -- does not run PIX 6.x software PIX 10000: cannot be done -- does not run PIX 6.x software PIX 510: cannot be done -- does not run PIX 6.x software PIX 501, 506, 506E, 515E, 525, 535: not possible, as they neve...

Cisco PIX 501
I'm presently trying to setup a cisco pix 501 to forward a range of ports to a host on the inside. 192.168.100.200 needs to have several ports forwarded along to it. I've tried a couple different methods but everytime it comes back to setting a static up for each individual port... for obvious reasons when dealing with ~120 ports this sucks. When I only needed 10 ports I just setup static (outside, inside) 6881 192.168.100.200 6881 netmask 255.255.255.255 0 0... cant get it to work with a range or object-group though... but i may be doing something wrong. Any ideas? Here's the current config (It currently has some remenants of me trying to get the portrange forwarded.) The basics are: I need ports 6881-6999, 6112, 3724 forwarded to 192.168.100.200 and I dont want to do ~120 lines of static port mappings aker# sh run : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxx encrypted hostname aker domain-name xxxxxxxxxxxxxxxxxx.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group serv...

MAC OS X using Cisco VPN Client through CISCO PIX 501
Hi, I have a bit of an issue driving me completely nuts here... I have a small home network using a Catalyst 1900 switch, PIX 501 and Window and Mac OS X laptops. All computers have the latest update in regards to OS's and Cisco VPN Client, and my PIX config allows any any connection to inside interface (access-list inside_out permit ip any any) Now, I can connect to my office's PIX using the windows laptop just fine, but when I try it with the MAC OS X, I do connect but no traffic passes through, and on top of it internet access o the mac dies instantly (there is a split tunnel a...

Cisco PIX 501 using pptp to connect to cisco vpn 3005 concentrator
Hello all, I got a question concerning pptp between cisco pix 501 and cisco 3005 concentrator. The secenario is the following: one small lan with the pix as default gateway. the pix connected to the dsl router and this is connected to the internet. vpn pass through is enabled on the router. we want the pix to connect to our cisco concentrator using pptp. means we have no public addresse for the pix like we use it for lan-to-lan connections. the pix should behave like a "normal" windows client connection via vpn to a network. Has anyone a configuration example and the main part is ...

Pix 501 to Pix 501 VPN Issue
Hey all, I have a strange question. We are trying to use 2 Pix 501's to secure traffic between 2 wireless access points. There is no router between the 2 access points. I currently have a lab setup with the 2 Pix's connecting them with a crossover cable to each of their outside interfaces. I can get the tunnel to come up with no problem, but no traffic will pass between the 2 inside interfaces. I have a computer connected to each inside interface of each Pix with the default gateway set to the inside interface of each computer's corresponding Pix. Here is the config from the Pix1: : Saved : Written by enable_15 at 11:49:28.125 UTC Wed Dec 28 2005 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password passwd hostname Pix1 domain-name something.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0 pager lines 24 icmp permit any echo outside icmp permit any echo inside mtu outside 1500 mtu inside 1500 ip address outside 10.16.1.2 255.255.255.0 ip address inside 10.16.0.221 255.255.0.0 ip ...

Testing A Cisco PIX 501
Hi Everyone, I recently installed a Cisco PIX 501 and would like to test out my security. How might I go about this? Websites like GRC dot com perhaps? I am very new at this all and would appreciate the most basic of suggestions. ALSO: In the past I had Zone Alarm Pro installed and often I would get pop ups asking if I would like to allow a certain connection. For example my anti virus program would like to check for updated definitions. Now that I have the Cisco installed and still have Zone Alarm Pro I continue to get these messages. If I were to uninstall Zone Alarm Pro would these connections be allowed without my permission? If so that does not seem to secure.. If anyone has an idea where I am coming from please explain how I can set the Cisco to alert me to attempted connections by whatever is trying to "phone home". Thank You Everyone. PS: To those that have emailed me regarding my various newbie questions, I think it might be better to answer here in the newsgroup so that others in the future might benefit from your answer as well. CISCO PIX501 is not a application firewall its a hardware firewall it will never give you popup for any application connecting Inside to outside interface. By Default PIX works like: -All inside is allowed to outside zone -Alloutside is denied to inside interface. So you an block/filter the Application /Ports runing from inside to outside through access-list. CK Networking Student wrote: > Hi Everyone, > >...

Pix 501 #4 192995
My vpn ip address pool is 192.168.4.100 - 192.168.4.200. 1. Can I define the inside network to be on 192.168.0.0 subnet? 2. Can I do this? | | machine A interface 192.168.3.9 || --------------- || port 0 of PIX router|| and | | machine B interface 192.168.4.4 || ----------------- || port 1 of PIX router|| If everything above is yes, when connected to via vpn, will pix router know to route ip 192.168.4.4 via port 1? Thanks in advance In article <482f9a1f$0$15178$607ed4bc@cv.net>, RG <nobody@nowhere.com> wrote: >My vpn ip address pool is 192.168...

Cisco PIX 501 Firewall
Question: I've a small home network => 2 pc's, PS2 and a Pinnacle Showcenter 200 and I use my Cisco PIX 501 as a "smart switch" and i've configured my network DHCP. Now I need 1 pc (server) to communicate with the Showcenter (client) OKAY i've got them communicating, BUT it's not working all that well (connection seems slow / to stall from time to time) Everything else in my network works really great (and fast; 100mbps) so it seems a problem in the communication between the (Server) PC and the (Client) Pinnacle Showcenter 200. and I know almost for sure ...

Cisco PIX 501
101, intro to the PIX 501, kinda like Philosophy101... For total beginners... I have asked the same question a few different ways and for the most part the answers have been WAY over my head but - here goes again. I recently purchased a PIX 501. I know next to nothing about configuring it. I hooked it up to my cable modem and everything is now flowing through it. I reset it so everything is back to factory default values. I am able to access it through HyperTerminal OR through the Web Utility, I prefer HyperTerminal. So HERE is my question: 1. Now that it is hooked up and reset what is...

Cisco PIX IPsec problem
Hi, Encounter the following the problem with PIX 515E. If I do not enable NAT-T, my VPN client behind the PAT environment cannot connect to my VPN Server, but my remote office 3rd party IPsec router can connect back. If I enable NAT-T, my remote office using a 3rd party IPsec router cannot connect back to the office however my VPN client can. I am stumped. Below is the show debug message from PIX. xx.xx.xx.xx - remote 3rd party router using IPsec yy.yy.yy.yy - Cisco PIX using IPsec The error "reserved not zero on payload 5!" as mentioned from Cisco website that it is related to...

Cisco pix 515 + static routes between 2 cisco pix
Hello everybody... I have a big problem with static routes... i have 2 cisco pix 515 with ios 6.3 and 2 interfaces A) cisco pix "A" have 3 VPN tunnels to 3 diferent remotes office Network A (remote office 1) Network B (remote office 2) Network C (remote office 3) B) Cisco pix "B" has no vpn tunnels, but i need to those guys which are connected to this pix... have access to vpn`s tunnel (Network A-Network B-Network C) on PIX "A". C) internal interfaces of Pix "A" and "B" are in the same network and have connectivity eachother (i can ping internals interfaces of both pix) What i made: 1) inside Static route on pix "B" forwarding those vpn`s network to pix "A". 2) I made no nating (nat 0) to vpn=B4s networks on pix "B" Could you please help me with this huge and terrible problem? Im stuck right now Thanks in advance Greeting Peter In article <1129259575.871253.105280@f14g2000cwb.googlegroups.com>, Peter <p_oq@hotmail.com> wrote: :I have a big problem with static routes... :i have 2 cisco pix 515 with ios 6.3 and 2 interfaces Restating your problem in more compact form: You have two PIXes with their inside interfaces on the same subnet, and you have some VPN tunnels on one, and you want the other PIX to forward the traffic destined for those tunnels to the PIX that the tunnels live on. The traffic you want to forward: where is it coming from? Is the traffic coming from a lo...

Cisco PIX 501 Firewall.
Hi All, I have recently purchased the above-mentioned Cisco PIX Firewall on Ebay, upgraded the Cisco PIX 501 Firewall OS to version 6.3(4) and the PIX Device Manager(PDM) to version 3.02. The firewall is working very nicely without a hitch. My question is after upgrading the Cisco PIX OS to a newer version and the PDM to a newer version, do I need to upgrade the activation keys on the device? All the previous license features of the device before the upgrade were maintained after the upgrade. Thanks in advance, Benmark. In article <1166474349.550632.87420@j72g2000cwa.googlegro...

Cisco Pix 501 478926
I am an experienced Net Admin, but this thing is killing me. Can't get it to work at all. I do have a couple of brain cells and have RTFM. Trying to plug it into a simple system between a Comcast SMC 8013wg router/switch and a Netgear FSM7352s managed switch. Ultimate goal is to make a VPN to another company. Right now I just want to make it allow traffic to pass and play nice on the network. DHCP is being handled by windows 2003 server with AD. DHCP turned off on SMC 8013 router. The Pix has 192.168.1.1 address. Internal network is 10.1.10.x. If I change the internal network on the Pix (give it an IP of say 10.1.10.200) , it tells me "can't put on same network". It gives me errors on DHCP even though I turn it off on the Pix. Latest OS on Pix. Anyone out there that can help this frustrated IT guy? Thanks Hi Taipan, You may also wish to investigate the SMC Networks Forum: http://www.dslreports.com/forum/smc as well as the Netgear Forum: http://www.dslreports.com/forum/netgear and finally the Comcast Support Forums: http://www.dslreports.com/forums/all?cat=4 Sincerely, Brad Reese Cisco Technical Forums http://www.bradreese.com/cisco-technical-newsgroups.htm Forgive me if this seems rude, but WTF do any of those have to do with configuring a 501 Pix? "www.BradReese.Com" <Reese@BradReese.Com> wrote in message news:1162529973.546360.179410@f16g2000cwb.googlegroups.com... > Hi Taipan, > > You may al...

Cisco PIX-501 questions
One of these was installed as a firewall for a web server, and it's fallen on me to administer it now. I've downloaded the command reference, but there's nearly nothing intuitive about how this thing works. Right now there are two questions I'd most like answered, which may go a ways towards answering others that come up in the future. 1) The external address is configured as xx.xx.98.250 with a netmask of 255.255.255.240. The actual IP addresses we have are from xx.xx.110.98 to xx.xx.110.105 (maybe more). How exactly is this actually working with that address configuration? 3) How do I delete a single access-list line? I did "no access-list outside_acces_in" to get rid of multiple lines that were made with a typo (via command recall, of course - didn't make the same typo multiple times). But if I try "no access-list outside_access_in line 5" (which does exist, according to "show access-list"), I get a summary of options for the access-list command. My syntax is completely correct according to the command reference. So what is it that I'm missing? -- - Mike Remove 'spambegone.net' and reverse to send e-mail. On Thu, 06 May 2004 09:34:54 GMT, "Mike Ruskai" <spamten.knilhtrae@begonedynnaht.net> wrote: >One of these was installed as a firewall for a web server, and it's fallen on >me to administer it now. > >I've downloaded the command reference, but there'...

Cisco PIX 501 vs IPCOP
I have two computers, sharing a modem and never networked. If I have $400 to spend on a software/hardware firewall, which would give me the best security against a hacker or trojan (from calling out), AND ease of operation, monitoring, configuration etc.? If I have to learn some UNIX, that's certainly ok., What are some of the pros and cons between the $400 Cisco firewall (PIX 501) or putting IPCOP on my Dell P1 166. Assume IPCOP costs $400 and came with CISCO-like support? I'm interested in the best security, but if the Cisco is equal to or better than IPCOP, even if it costs $400.00, on this issue I'll get it. One computer is a wired desktop, and the other is a wireless (WPA encrypted) laptop, but I believe that in the future, this arrangement may not be strong enough. Currently, I also use a NAT router and Zonealarm (on both computers). All other suggestion are certainly welcomed. I'm just trying to stay a step ahead. Jack I am a Cisco guy but I must say, why don't you go with a Linux/*BSD solution? It will not cost you anything (well, you will need a PC) and you will actually learn allot about firewalls only to be better at blocking this kind of crap. So you will win two ways... Michael Jack Sandweiss wrote: > I have two computers, sharing a modem and never networked. > > If I have $400 to spend on a software/hardware firewall, which would give > me the best security against a hacker or trojan (from calling out), AND > ease...

Open ports on a cisco PIX 501
Hi, I'm wondering how I can open some ports in my cisco pix 501, so I can use the server as a mail server. Anybody has an idea ? Thanks http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml "Johhny" <exter_c@hotmail.com> a �crit dans le message de news: 1137677650.012469.284000@o13g2000cwo.googlegroups.com... > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml > Thanks, I'll try to do with it. I hate those cisco products, they are sooo hard to configure :) I would like a graphical interface to configure it. I heard it is possible to have one, but I didn't understand how to configure it though... In article <43cfac6e$0$10663$626a54ce@news.free.fr>, Julien Pham <privacy@invalid.net> wrote: >Thanks, I'll try to do with it. I hate those cisco products, they are sooo >hard to configure :) I would like a graphical interface to configure it. I >heard it is possible to have one, but I didn't understand how to configure >it though... There is indeed a graphics interface for the PIX 501; if I recall properly it comes pre-installed on new 501s. You can find the documentaton at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm_ig/index.htm I would, though, issue two cautions: 1) There are parts of the PDM that are not intuitive, and for which really the only way to make sense of them is to ...

cisco pix 501 firewall newbie
Im taking over the IT for a small biz that is using a Cisco Pix 501 firewall. I know that the 4 or 5 employees of the firm all have a VPN client with a working profile that allows them remote access to the network. The owner of the firm has told me that one of the employees of the firm may leave soon and he wants to be able to lockdown the VPN without preventing the authorized users from accessing it still. How would i go about preventing 1 VPN client from accessing the network if i was asked to do so quickly ? Would i have to change the password (profile configuration) for all the other users ? What is the quickest way to do that and then generate a new .pcf file for the authoized users to install on their remote machines ? Sorry its a silly question to those in the know... scott23 ...

Cisco PIX 501 VPN Setup
Hi Does anyone have a standard setup for a PIX 501, with one external Internet facing IP Address,and a 192.168 X.X address internally, to allow authentication for both Microsoft L2TP and PPTP VPN connections to browse the internal network (192.168.0.0/16.) I am unable to get the VPN clients to browse the internal network, either via IP or Hostname. Even some ideas of the individual commands would do. Thanks in advance. Nik see Cisee CCO site for examples L2TP http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml PPTP http://www.cisco.com...

[CISCO PIX]VPN IPSec problem
Hi, I've just configured an IPSec tunnel between a PIX 525 and a PIX 501 but my problem is that the first time I want to up the tunnel, I need to generate flow from the remote network (behind the 501) to the local network (behind the 525) AND another flow simultaneously from the local network to the remote network...If I dont do that...the tunnel refuses to permit any traffic... In reality, it's not always possible for me to initiate a flow from the remote LAN to the local one... So, here is my question : How can I do to obtain the fully "upped" VPN as soon as I initiate a flow from my local network to the remote one ??? What is the problem in my configuration ? I don't understand... Best regards, Laurent. Here is a sample of my configuration : Remote Net<-->PIX501<---WAN--->PIX525<-->Local Net With : Remote Net = 192.168.2.0/24 PIX501's IP = 192.168.2.1 and 172.16.2.1 (Wan IP) PIX525's IP = 192.168.1.1 and 172.16.1.1 (Wan IP) Local Net = 192.168.1.0/24 Sample of the config on the PIX 501: access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map central 20 ipsec-isakmp crypto map central 20 match address 90 crypto map central 20 set pe...

Cisco Pix 501 and Linksys router
I have a Linksys router connected to a cable modem. I just got a cisco pix 501 off of ebay and I want to put it behind the Linksys router, then all systems behind the pix. Can I configure int0 with a private address? So if I give the internal network behind the PIX 192.168.3.1 then the outsidie int0 192.168.2.1 Then my linksys router 192.168.1.1 Then create a static route between the PIX and the Linksys. Will this work. I was told that I could not configure the outside interface with a private address. Thanks Yes, you can put any address on the outside interface. I have a similar ...

Testing Cisco Pix 501 Config
I have added quite a few of similar lines to these to config, access-list Internet_access_in line 2 extended deny tcp 58.10.0.0 255.254.0.0 any eq smtp Is there a way to quickly and easily test it using command line for specific ip? rather than try to connect to port 25 from outside. Is there a way to tell with rule caused the denial? Thanks in advance ...

Cisco Pix 501 Newbie Problem
Hello, I'm having a heck of a time accessing the start.html page after having successfully changed the default IP address of my Cisco PIX 501. Http, dhcpd and dhcpd address range are changed to reflect the new IP change as well. This was accomplished through the CLI via the serial terminal. I can connect the DSL, server and 35 clients and all can acces the internet and receive mail I just can't get back to the unit through a WEB interface after the change. With the default settings, I would enter https://192.168.1.1/start.html and I would connect. Now with an IP address of 10.0.0.1 I can't access by way of https://10.0.0.1/start.html I can't even ping 10.0.0.1 What step or missing command am I missing here? I would like to get a better understanding of the gui interface as well as the CLI and I want to check out the VPN configuration through the WEB interface. Any suggestions, further info needed, other newsgroup suggestions? Thank You In Advance, Buck _______________________________________________________________________________ Posted Via Uncensored-News.Com - Accounts Starting At $6.95 - http://www.uncensored-news.com <><><><><><><> The Worlds Uncensored News Source <><><><><><><><> In article <nee691588n9p2jmbsjvab4gpsqjs2jlri5@4ax.com>, Buck Rogers <buck@rogers.com> wrote: :I'm having a heck of a time access...

Logging VPN Connections on Cisco PIX
Does anyone know of any software (freeware or commercial) that will allow me to monitor the VPN connections being made to our PIX515E? We are looking to roll the VPN out more widely to a number of staff to work from home etc. but want to know who is actually connecting to the VPN, when they connect and for how long they were connected. Thanks The only way I have done this, is to use XAUTH and a Radius Server. Windows 2k has Radius already built-in, and the process also authenticates them to the domain, so it is not an extra login from the user's perspective. You can then log times etc. as required. If you don't use Windows 2k then there are versions of Radius for Unix/Linux freely available, or you could use TACACS+ if you need to spend some money ;-) Regards, Reg "Keith" <@.> wrote in message news:obIYb.7245$Y%6.744108@wards.force9.net... > Does anyone know of any software (freeware or commercial) that will allow me > to monitor the VPN connections being made to our PIX515E? > > We are looking to roll the VPN out more widely to a number of staff to work > from home etc. but want to know who is actually connecting to the VPN, when > they connect and for how long they were connected. > > Thanks > > ...

Web resources about - IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 - comp.dcom.sys.cisco

Resources last updated: 3/28/2016 6:37:49 PM