06-12-2024 09:14 AM
Hello,
My firewall (cisco asa 5516X) is being hammered on with user accounts attempting to connect to my vpn via cisco anyconnect client.
These are bad pword attempts and locking out these users.
I have Microsoft MFA enabled for anyconnect connections, so the traffic flow is:
anyconnect login, user account verification goes to a radius server, account is verified then passed to NPS server for MFA challenge.
bad pword=rejected, valid pword=mfa challenge sent.
actively looking at real time log monitor from asa, I can't see any failed connection attempts and I'm thinking it's because of the MFA challenge not being sent therefore no connection is even attempted to the asa.
My question is, should I be able to see failed anyconnect attempts in the log monitor with this traffic flow?
I'd like to find the source IP this attack is coming from.
I have a filter for syslog_ids: 722055,722056 & 722042 but all I can see are valid connections.
Any help is appreciated...
Thanks,
D
Solved! Go to Solution.
06-12-2024 12:45 PM - edited 06-12-2024 12:45 PM
The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.
Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna
Also make sure you update to a fixed release for this vulnerability:
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
06-12-2024 11:16 AM
Not sure about this specific scenario, but try to add 113005 and 716039 to the filter.
06-12-2024 12:45 PM - edited 06-12-2024 12:45 PM
The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.
Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna
Also make sure you update to a fixed release for this vulnerability:
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
06-13-2024 03:39 PM
besides the ASA logs, the radius server should also show the calling-station-id in the logs, which is the public ip of the endpoint making the connection attempt.
06-14-2024 08:41 AM
Thanks every one for the insight
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide