01-25-2014 06:55 PM - edited 03-11-2019 08:35 PM
Background:
Usually when we have a problem with a VPN user attempting to connect
to an inside service, we turn to our ASA syslogs to determine where the
connection is being prohibited (or other errors such as the user trying
to connect to the wrong machine.) This works fine for normally configured
(UNIX) servers which send an ICMP reject message. Recently we had to
diagnose problems connecting to an inside Windows device, and although
the VPN client had attempted to connect, no log message was produced
because the connection never got a TCP RST nor ICMP reject.
From what I can suss out from MSDN, turning off "stealth mode" on Windows
boxes to return those boxes to sane ICMP reject behavior is either not completely
supported, or at the very least misguidedly discouraged by Microsoft, and so I
might not be able to convince various Windows administrators to alter this policy.
Question:
Is there a way to get log messages bearing the IP tuples for TCP and/or UDP
incomplete connections where the ASA sees only packets destined for an inside host?
This would be for a small number (<50) of VPN remote clients, so we
are not very worried about a DDOS saturating the logs -- these packets are
not attacks just mistakes.
We would need this to happen even for single packets, and without actually
dropping traffic from the initiator, so threat-detection probably won't do the
trick here, unless it can be made to audit-only on single packets.
VPN is all this ASA device is doing, so it likely an afford the CPU for configurations
normally deemed too CPU intense.
01-26-2014 03:48 AM
Hi,
Wouldnt you be essentially looking for connection "Teardown" messages with reason SYN Timeout? As this should be the result if either the ASA doesnt seen the return SYN ACK or the last ACK from the connection initiator? This would usually be generated after 20-30 seconds if the connection doesnt form.
I am not really sure about the UDP. Rarely have to troubleshoot UDP connections. The very rare cases usually relate to Video/Voice and in there I usually see ICMP messages returned for a port that the destination device is not listening on. And while troubleshooting these I tend to take captures on the actual ASA.
Think the Teardown Syslog ID for TCP connections is ASA-6-302013
This is usually the first Syslog ID I look for from the server when someone reports a problem with connectivity.
By default its a Informational level log message or naturally it can be changed to something else if your logging is for example set to Notifications.
Heres the link to the Cisco document about this log message
http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp6941209
- Jouni
01-26-2014 11:02 PM
For live troubleshooting the following command is useful:
show conn detail long
Silent servers are marked with SAa flags.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide