Solved: FTD RA VPN Logs

alex.f. · ‎04-07-2024

Hi,

I try to find some Information of Remote Access or Mail ingress/egress activities on an FTD 3110 Tech support file or the Device it self.

I don't have any access to the FMC.

alex.f. · ‎04-09-2024

Thanks for the feedback, unfortunately I already suspected this.

We are currently trying to restore the FMC data.
But this may take a few more weeks.

View solution in original post

MHM Cisco World · ‎04-08-2024

you want FTD always debug the connect from Anyconnect ?
MHM

alex.f. · ‎04-08-2024

hi,
my question is whether there is a possibility to extract connection information from the TechSupport file of an FTD afterwards, which provides information about malicious network activities to a device in the local network.

For example, I am looking for successful RA VPN dial-ins by users or access to certain ports.

Marvin Rhoads · ‎04-08-2024

Most historical logs (including the type you are asking about) are streamed to the managing FMC in near real time and then deleted on the local device.

alex.f. · ‎04-09-2024

Thanks for the feedback, unfortunately I already suspected this.

We are currently trying to restore the FMC data.
But this may take a few more weeks.

MHM Cisco World · ‎04-09-2024

Did you check

Show vpn sessiondb anyconnect detail

This can access from cli of ftd' it give you breif which user connect to your FTD know

MHM

Marvin Rhoads · ‎04-09-2024

The command "Show vpn sessiondb anyconnect detail" will only show current connections with details (such as username, user IP real address, assigned VPN address, connection profile, tunnel-group, duration etc.).

It will not show details of any previous sessions.

MHM Cisco World · ‎04-10-2024

Thanks, but even FMC don't keep this info for long time (without external syslog).

If user access via ssl vpn to ftd and it idle timeout is not end he can see it details via show vpn sessiondb.

MHM