Hi, I have a p2p IPSec VPN tunnel between two PIX 501's with the head end sending traps to a syslog server. My customer is complaining of timeouts across the link with their Citrix session but my ping tests are coming back fine. (250ms from Auckland NZ to Seattle USA <1% packet loss over adsl) I would like to catch in kiwisyslog just the events indicating that the VPN tunnel has dropped and renegotiated but without having to wade through piles of debug/informational level traps. Does anyone have any suggestions on how to achieve this or perhaps another strategy?
I believe the isakmp log function is only an on pix log buffer for isakmp events. You could set logging to debug, and then disable all the events you do not want to see on the pix (i.e, no logging message xxxx). You could use logging message 1001001 level command to elevate the level of specific messages (so migrated messages from being debug, to a error, warning, etc).
Or, you could find something to parse the kiwisyslog for you, and generate reports. This might be ideal as you would be ensured of having full log detail archived
Thanks those were good suggestions, I chose to use the logging message command to elevate the message ids 602301 & 602302 to warning's so that I would get the SA creations and deletions into kiwisyslog. This should provide me with the visibility I am after.
602301: sa created, (sa) sa_dest=