topic Re: Need clarification in message ids of cisco in Network Security

Need clarification in message ids of cisco

viswesh1406 — Mon, 11 Mar 2019 22:47:17 GMT

Hi Guys,

I am analyzing cisco vpn logs, 113009 message id log contains the group name for that particualr user, when he logs out, 113019 log is sent, which has a different group name.

Can you tell me what is the difference between the two groups?

Thanks,

M.Viswesh.

Need clarification in message ids of cisco

Jouni Forss — Tue, 27 Mar 2012 14:24:22 GMT

Hi,

I think the syslog ID 113009 message refers to the Group Policy that was applied to the user

Syslog ID 113019 message seems to refer to the name of the tunnel-group name.

What device are the VPNs on and what software version?

- Jouni

Need clarification in message ids of cisco

viswesh1406 — Tue, 27 Mar 2012 14:46:16 GMT

Jouni,

Thanks a lot Jouni. Whether the values depend on cisco model and software version?coz In our network, we have more than 10 firewalls(I dont know the versions used). I am analyzing the logs to create reports.

can you explain me what is a tunnel group name? Sorry for the basic questions.

Thanks in advance,

M.Viswesh

Re: Need clarification in message ids of cisco

Jouni Forss — Tue, 27 Mar 2012 15:02:22 GMT

Hi,

I'm not sure if the type of device and software matter but just wanted to make sure.

I'm not sure if I got the syslog ID right.

"tunnel-group" is the name of the connection.

- For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
- Like for example "tunnel-group 1.2.3.4 type ipsec-l2l"
- For Client VPN the group-name can be anything
- Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"

With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.

The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key ThisIsThekey

For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):

tunnel-group REMOTE-USER-VPN-01 type ipsec-ra

tunnel-group REMOTE-USER-VPN-01 general-attributes

address-pool REMOTE-VPN-POOL

default-group-policy REMOTE-USER-VPN-01-GP

tunnel-group REMOTE-USER-VPN-01 ipsec-attributes

pre-shared-key ThisIsThekey

- Jouni

Re: Need clarification in message ids of cisco

viswesh1406 — Tue, 27 Mar 2012 15:21:32 GMT

Jouni the quick fire,

Thanks a lot man , i dont need L2L vpn, for remote client vpn, why the group name differs? let me post you the logs.

<166>Feb 21 2011 10:31:58 FO-ELD-ASA : %ASA-6-113009: AAA retrieved default group policy (GP-FTO-ELD-VPNGROUP) for user = dclem@gmail.com

<164>Feb 21 2011 11:47:14 FO-ELD-ASA : %ASA-4-113019: Group = portal2PROFILE, Username = dclem@gmail.com, IP = 67.xxx.108.162, Session disconnected. Session Type: SSL, Duration: 1h:15m:16s, Bytes xmt: 1831910, Bytes rcv: 365237, Reason: Idle Timeout.

In the above logs, which one i should take it as group? group is different for login and logout log.

Thanks in advance.

M.Viswesh

Re: Need clarification in message ids of cisco

Jouni Forss — Tue, 27 Mar 2012 15:42:57 GMT

Hi,

The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.

show run group-policy displays all the group-policies configured on your ASA

The second messages group tells the name of the actual VPN profile/connection the user was using

show run tunnel-group displays all the tunnel-groups configured on your ASA

You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.

So,

portal2PROFILE = tunnel-group = VPN connections name

GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE

Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.

Please rate if it was any help

- Jouni

Re: Need clarification in message ids of cisco

viswesh1406 — Wed, 28 Mar 2012 05:55:20 GMT

Jouni,

Thanks a lot. It helped a lot

Re: Need clarification in message ids of cisco

viswesh1406 — Wed, 28 Mar 2012 06:07:22 GMT

Hi Jouni,

I see that 113011 message id log shows user specific group policy. what is the difference between these two log?

But i see they havee different name.

<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113011: AAA retrieved user specific group policy (AWA-VPN-GP02) for user = ktakepoochi

<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = ktakepoochi

Regards,

M.Viswesh.

Need clarification in message ids of cisco

Jouni Forss — Wed, 28 Mar 2012 06:33:30 GMT

Hi,

I'm not 100% sure but it seems to me that the username "ktakeuchi" has its own "group-policy" configured. If you check the username configurations under ASDM, you can see that you assing "group-policy" straight to the username.

You can also lock the username in question to some specific "tunnel-group".

I can't remember at the moment which setting overrides the other. I think there is certain order in which the "group-policy" rules are applied. I think the settings under "username" configurations apply. If the user didnt have the "group-policy" configured under his username, the "group-policy" configured under the tunnel-group/connection name that the person is using would be applied to the user.

As I said I'm not 100% sure Maybe someone can confirm/correct what I just wrote.