cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
0
Helpful
4
Replies

anyconnect vpn failed attempt logs

zietgiestt
Level 1
Level 1

Hello,

My firewall (cisco asa 5516X) is being hammered on with user accounts attempting to connect to my vpn via cisco anyconnect client.

These are bad pword attempts and locking out these users. 

I have Microsoft MFA enabled for anyconnect connections, so the traffic flow is:

anyconnect login, user account verification goes to a radius server, account is verified then passed to NPS server for MFA challenge.

bad pword=rejected, valid pword=mfa challenge sent.

actively looking at real time log monitor from asa, I can't see any failed connection attempts and I'm thinking it's because of the MFA challenge not being sent therefore no connection is even attempted to the asa.

My question is, should I be able to see failed anyconnect attempts in the log monitor with this traffic flow?

I'd like to find the source IP this attack is coming from.

I have a filter for syslog_ids: 722055,722056 & 722042 but all I can see are valid connections.

Any help is appreciated...


Thanks,

D

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also make sure you update to a fixed release for this vulnerability:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

View solution in original post

4 Replies 4

tvotna
Spotlight
Spotlight

Not sure about this specific scenario, but try to add 113005 and 716039 to the filter.

 

Marvin Rhoads
Hall of Fame
Hall of Fame

The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also make sure you update to a fixed release for this vulnerability:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

ccieexpert
Level 3
Level 3

besides the ASA logs, the radius server should also show the calling-station-id in the logs, which is the public ip of the endpoint making the connection attempt.

zietgiestt
Level 1
Level 1

Thanks every one for the insight

Review Cisco Networking for a $25 gift card