this is the logging conf on an ASA5520 cluster of mine:

logging enable
logging timestamp
logging standby
logging asdm-buffer-size 300
logging console critical
logging buffered informational
logging flash-bufferwrap
logging flash-minimum-free 6152
logging flash-maximum-allocation 10240

to get persistant logs, send them to a syslog server of ftp. At a conf prom=
pt do help logging for the syntax.

Cheers,

Chris

> -----Original Message-----
> From: vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om =


> [mailto:vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om
> ] On Behalf Of Kindy Sylla
> Sent: Wednesday, May 10, 2006 5:25 PM
> To: Meidinger Chris; vpn@lists.shmoo.com
> Subject: [VPN] Re: Pix doesn't respond after a while
> =


> Can you please tell me how to get the information you are =


> requesting. Specially how to get the log from the pix..
> =


> Thanks! =


> Meidinger Chris a =E9crit :
> =


> =


> is a lot of data traversing the tunnel? maybe there is =


> a size limit on one side?
> =


> can you post a log from the pix during while ping is =


> not working?
> =


> also, can you get a log from the remote peer at that same time?
> =


> Chris
> =


> -----Original Message-----
> From: Kindy Sylla [mailto:kindy_s@yahoo.fr]
> Sent: Wed 10-May-06 12:14
> To: Meidinger Chris; vpn@lists.shmoo.com
> Subject: RE: [VPN] Pix doesn't respond after a while
> =


> Hi Chris,
> =


> Thanks for the suggestion.
> =


> I verify and the otherside has the same lifetime value.
> =


> Any other idea? Any help would be great!!!
> =


> Kindy
> =


> Meidinger Chris a =E9crit :
> Hi Kindy,
> =


> It sounds like the tunnel lifetimes are not the same.
> =


> You have 'isakmp policy 9 lifetime 86400' which means =


> that the tunnel will be torn down and renegotiated after =


> 86400 seconds. Does the other side have the same lifetime? If =


> not, the peer gateway won't be ready to reneg the tunnel and =


> will (probably) spit out a Bad SPI log message for each of =


> your side's negotiation attempts.
> =


> That's definately the first thing to check!
> =


> HTH,
> =


> Chris
> =


> -----Original Message-----
> From: =


> vpn-bounces+chris.meidinger=3Dbadenit.de@lists.shmoo.c om on =


> behalf of Kindy Sylla
> Sent: Tue 09-May-06 10:55
> To: vpn@lists.shmoo.com
> Subject: [VPN] Pix doesn't respond after a while
> =


> Hi,
> =


> I am having a strange behaviour with a Cisco PIX =


> Firewall Version 6.3(5). The configuration is done , the VPN =


> are created between the 2 differents sites. The probl=E8me is =


> after 5 to 6 hours of running, the ping to the remote hosts =


> doesn't go through. When i try to ping a remote host, I see =


> the followings line in the debug icmp trace:
> =


> -request from inside:10.102.158.152 to 10.5.113.142 =


> ID=3D512 seq=3D5376 length=3D40
> 44: ICMP echo-request: translating =


> inside:10.102.158.152 to outside:10.102.158.152
> 45: ICMP echo-request from inside:10.102.158.152 to =


> 10.5.113.142 ID=3D512 seq=3D5632 length=3D40
> 46: ICMP echo-request: translating =


> inside:10.102.158.152 to outside:10.102.158.152
> =


> And When remote host try to ping a local machine, i =


> can see the request coming without any reply.
> =


> To get the ping work , we have to reload it.
> =


> Do you have any idea?
> =


> Please find below my config file :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password N7FecZuSHJlVZC2P encrypted
> passwd N7FecZuSHJlVZC2P encrypted
> hostname pixbenin
> domain-name boabenin.bj
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list acl_vpn permit icmp 10.102.156.0 =


> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_vpn permit ip 10.102.156.0 =


> 255.255.252.0 192.168.0.0 255.255.255.0
> access-list acl_blgo permit icmp 10.102.156.0 =


> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit ip 10.102.156.0 =


> 255.255.252.0 10.5.113.128 255.255.255.224
> access-list acl_blgo permit icmp 10.102.156.0 =


> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit ip 10.102.156.0 =


> 255.255.252.0 10.102.128.0 255.255.254.0
> access-list acl_blgo permit icmp 10.102.156.0 =


> 255.255.252.0 10.102.130.0 255.255.255.128
> access-list acl_blgo permit ip 10.102.156.0 =


> 255.255.252.0 10.102.130.0 255.255.255.128
> pager lines 24
> mtu outside 500
> mtu inside 1500
> ip address outside 81.91.235.147 255.255.255.192
> ip address inside 10.102.155.135 255.255.255.128
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 =


> rpc 0:10:00 h225 1:00:00
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> nat (inside) 0 10.102.156.0 255.255.252.0 0 0
> route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
> route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 =


> rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 30 set transform-set strong
> crypto map toX 20 ipsec-isakmp
> crypto map toX 20 match address acl_vpn
> crypto map toX 20 set peer 196.200.82.35
> crypto map toX 20 set transform-set strong
> crypto map toX 30 ipsec-isakmp
> crypto map toX 30 match address acl_blgo
> crypto map toX 30 set peer 194.78.211.130
> crypto map toX 30 set transform-set strong
> crypto map toX 9990 ipsec-isakmp dynamic dynmap
> crypto map toX interface outside
> isakmp enable outside
> isakmp key ******** address 196.200.82.35 netmask =


> 255.255.255.255
> isakmp key ******** address 194.78.211.130 netmask =


> 255.255.255.255
> isakmp identity address
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
> isakmp policy 19 authentication pre-share
> isakmp policy 19 encryption 3des
> isakmp policy 19 hash sha
> isakmp policy 19 group 2
> isakmp policy 19 lifetime 86400
> telnet timeout 5
> ssh 194.7.174.162 255.255.255.255 outside
> ssh 194.7.174.163 255.255.255.255 outside
> ssh 10.102.156.0 255.255.252.0 inside
> ssh 10.102.155.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:7458b1b938134f7d52ed82d4e2003210
> =


> Regrds,
> =


> Kindy
> =


> =


> =


> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour =


> retrouver directement vos services pr=E9f=E9r=E9s : v=E9rifiez vos =


> nouveaux mails, lancez vos recherches et suivez l'actualit=E9 =


> en temps r=E9el. Cliquez ici.
> =


> =


> =


> =


> =


> ---------------------------------
> Faites de Yahoo! votre page d'accueil sur le web pour =


> retrouver directement vos services pr=E9f=E9r=E9s : v=E9rifiez vos =


> nouveaux mails, lancez vos recherches et suivez l'actualit=E9 =


> en temps r=E9el. Cliquez ici.
> =


> =


> =


> =


> ________________________________
> =


> Yahoo! Mail r=E9invente le mail ! D=E9couvrez le nouveau Yahoo! =


> Mail =


> <http://fr.rd.yahoo.com/evt=3D40577/*...omotions.yahoo.
> com/mail/nouveaumail.html> et son interface r=E9volutionnaire. =


> =


_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn