topic Re: Show applied dap policies in FTD in Network Security

Show applied dap policies in FTD

carl_townshend — Fri, 03 Jan 2025 11:27:06 GMT

Hi All

Does anyone know if its possible to see what DAP policies or ACLSs are applied to a Remote access VPN session on the FTD?

We can do it on the ASDM on our ASA, but where can we find this info on the FTD?

Cheers

Re: Show applied dap policies in FTD

Rob Ingram — Fri, 03 Jan 2025 11:59:47 GMT

@carl_townshend To see what was applied to an actual user session, the "Remote Access VPN Dashboard" on the FMC may display this information (I don't have access to confirm). Else from the FTD CLI run "show vpn-sessiondb detail anyconnect" and filter on the user to see what has been applied.

Re: Show applied dap policies in FTD

carl_townshend — Fri, 03 Jan 2025 12:23:09 GMT

Hi Rob

I just tried that command on my ASA and it does not show you the DAP records applied.

Re: Show applied dap policies in FTD

Rob Ingram — Fri, 03 Jan 2025 12:37:53 GMT

@carl_townshend For example, if you assign an ACL via the DAP, this will appear as "Filter Name: <name of ACL>" when you look at the session using the "show vpn-sessiondb detail anyconnect " command. Example of that scenario here - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200238-ASA-VPN-posture-with-CSD-DAP-and-AnyCon.html

Re: Show applied dap policies in FTD

carl_townshend — Fri, 03 Jan 2025 12:44:40 GMT

We just get the below

There is no such ACL as DAP-ip-user-60A28A09 on our ASA.

SSL-Tunnel:
Tunnel ID : 1237.2
Assigned IP : x.x.x.x Public IP : x.x.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 51761
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 720 Minutes Conn TO Left : 469 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.04065
Bytes Tx : 11198 Bytes Rx : 894
Pkts Tx : 18 Pkts Rx : 17
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP-ip-user-60A28A09

Re: Show applied dap policies in FTD

MHM Cisco World — Fri, 03 Jan 2025 12:56:40 GMT

debug dap trace <<- use this debug to check if Server send DAP or not and what is name of DAP

MHM

Re: Show applied dap policies in FTD

Marvin Rhoads — Fri, 03 Jan 2025 13:14:18 GMT

I believe you can only get these via a DART file (from the client) or from a debug (on FTD headend). The LINA engine in FTD handles DAP pretty much the same as an ASA does, so the following article (old but mostly relevant) may help:

https://community.cisco.com/t5/security-knowledge-base/information-to-acquire-for-dap-troubleshooting/ta-p/3145426

The RA VPN dashboard or show command mentioned by @Rob Ingram unfortunately do not reveal this info. See sample output from the show command here (see Step 6):

https://docs.defenseorchestrator.com/t_verify-remote-access-vpn-configuration-of-asa.html