Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
0
Helpful
4
Replies

anyconnect vpn failed attempt logs

Go to solution
zietgiestt
Level 1
Level 1

‎06-12-2024 09:14 AM

Hello,

My firewall (cisco asa 5516X) is being hammered on with user accounts attempting to connect to my vpn via cisco anyconnect client.

These are bad pword attempts and locking out these users. 

I have Microsoft MFA enabled for anyconnect connections, so the traffic flow is:

anyconnect login, user account verification goes to a radius server, account is verified then passed to NPS server for MFA challenge.

bad pword=rejected, valid pword=mfa challenge sent.

actively looking at real time log monitor from asa, I can't see any failed connection attempts and I'm thinking it's because of the MFA challenge not being sent therefore no connection is even attempted to the asa.

My question is, should I be able to see failed anyconnect attempts in the log monitor with this traffic flow?

I'd like to find the source IP this attack is coming from.

I have a filter for syslog_ids: 722055,722056 & 722042 but all I can see are valid connections.

Any help is appreciated...


Thanks,

D

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-12-2024 12:45 PM - edited ‎06-12-2024 12:45 PM

The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also make sure you update to a fixed release for this vulnerability:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

View solution in original post

0 Helpful
4 Replies 4

Go to solution
tvotna
Spotlight
Spotlight

‎06-12-2024 11:16 AM

Not sure about this specific scenario, but try to add 113005 and 716039 to the filter.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-12-2024 12:45 PM - edited ‎06-12-2024 12:45 PM

The majority of customers running remote access VPNs have been seeing these attempts this year. They originate from thousands of IPs worldwide.

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Some recommendations for hardening can be found here (mentions the syslog IDs mentioned by @tvotna

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also make sure you update to a fixed release for this vulnerability:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

0 Helpful

Go to solution
ccieexpert
Level 1
Level 1

‎06-13-2024 03:39 PM

besides the ASA logs, the radius server should also show the calling-station-id in the logs, which is the public ip of the endpoint making the connection attempt.

0 Helpful

Go to solution
zietgiestt
Level 1
Level 1

‎06-14-2024 08:41 AM

Thanks every one for the insight

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card