vpn concentrator accounting

I have a cisco 7200 VPN concentrator version 12.4(7)

I will post the configs at the bottom of file.

I am able to get authentication and authorization to the AAA server. In fact I get accounting from the telnet sessions as people log into the device.
I am missing the accounting logs when people VPN into one of the profiles that rides a different vrf.

Here are the configs of the box.

##########################
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname c7206-3
!
boot-start-marker
boot system flash disk2:c7200-ik9s-mz.124-7.bin
boot system flash disk2:c7200-ik9s-mz.124-1c.bin
boot-end-marker
!
!
redundancy inter-device
 scheme standby client-vpn
!
!
redundancy
logging buffered 65535 debugging
no logging console
enable <key>
!
aaa new-model
!
!
!
aaa group server tacacs+ vpn-dmz
 server ACS1
 server ACS2
 ip vrf forwarding vpn-dmz
 ip tacacs source-interface Ethernet0/0
!
aaa authentication login default local
aaa authentication login vpn-dmz group vpn-dmz
aaa authentication login friend group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization network default local
aaa authorization network vpn-dmz group vpn-dmz
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network vpn-dmz start-stop group vpn-dmz
aaa accounting connection default start-stop group tacacs+
aaa accounting connection vpn-dmz start-stop group vpn-dmz
!
aaa session-id common
!
resource policy
!
!
no ip source-route
!
!
ip cef
ip tcp synwait-time 5
no ip domain lookup
ip domain name biz.net
!
!
<text removed>

ip vrf vpn-dmz
 rd 192.168.3.5:<some#>
 route-target export 192.168.3.25:<some#>
 route-target import 192.168.3.25:<some#>
!
<test removed>
!
ip ssh rsa keypair-name <name>
ip ssh version 2
!
!
!
<crypto pki certificate info >

username name privilege key
!
!
controller ISA 1/1
!
controller ISA 2/1
!
crypto logging session
!
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpn-dmz
 key <key>
 dns 14.5.10.8 141.116.2.169
 pool vpn-dmz
!

crypto isakmp profile vpn-dmz
   vrf vpn-dmz
   match identity group vpn-dmz
   client authentication list vpn-dmz
   isakmp authorization list default
   client configuration address respond
!
!
crypto ipsec transform-set vpn-dmz
!
!
crypto dynamic-map vpn-dmz 10
 set security-association lifetime seconds 28800
 set transform-set vpn-dmz
 set isakmp-profile vpn-dmz
 reverse-route remote-peer
!
!
!
crypto map client-vpn 10 ipsec-isakmp dynamic vpn-dmz
!
!
!
!
interface Loopback0
 description management loopback
 ip address 192.168.2.2 255.255.255.255
!
!
interface Ethernet0/0
 ip vrf forwarding vpn-dmz
 ip address 192.168.2.3 <MASK>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
!
 !
 address-family ipv4 vrf vpn-dmz
 redistribute static
 neighbor groupName peer-group
 neighbor groupName send-community
 neighbor groupName soft-reconfiguration inbound
 neighbor groupName distribute-list default-only in
 neighbor groupName route-map groupName out
 neighbor <IP> remote-as 65100
 neighbor <IP> peer-group groupName neighbor <IP> activate
 neighbor <IP> remote-as 65100
 neighbor <IP> peer-group groupName
 neighbor <IP> activate
 no synchronization
 exit-address-family
 !
 !
ip local pool vpn-dmz 192.168.1.1 192.168.1.127

ip route 0.0.0.0 0.0.0.0 192.168.1.9
!
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback0
!
!
ip prefix-list groupName description "Address pool for vpn-dmz"
ip prefix-list groupName seq 5 permit 192.168.1.0/25 le 32
ip prefix-list groupName seq 100 deny 0.0.0.0/0 le 32

logging trap notifications
logging source-interface Loopback0
logging <log server>
!
tacacs-server host ACS1
tacacs-server host ACS2
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key <key>
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
end
#####################################
rperedaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rperedaAuthor Commented:
Solution for this problem is to add accounting to the crypto isakmp profile. This was accompanied by pointing this profile to the vrf.
0
rperedaAuthor Commented:
*********
Please CLOSE
*********

crypto isakmp profile vpn-dmz
   vrf vpn-dmz
   match identity group vpn-dmz
   client authentication list vpn-dmz
   isakmp authorization list default
   client configuration address respond
   accounting vpn-dmz
0
EE_AutoDeleterCommented:
rpereda,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.