Hi all,

I'm using cisco asa for VPN connection to corporate network.

ASA sends logs to syslog server. While looking at the logs, It is clear that there is some brute force attack tries (around 20 connection rejected logs in a row). Problem is that those logs don't show username of rejected connection. When some domain user incorrectly enters password I can see his username in log. Does anybody know why is that and how could I ensure that usernames of rejected connections are shown?

I use couple of VPN groups with double authentication: for one group authentication methods are LDAP + Local database, for other LDAP + Certificate, so you could not connect with just one password.

Here is examples of a logs where usernames are hidden:

ciscoasa %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.251 : user = ***** : user IP = 94.206.145.20

ciscoasa %ASA-6-113014: AAA authentication server not accessible : server = 192.168.1.251 : user = *****

%ASA-6-113015: AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 42.93.122.26