cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2574
Views
5
Helpful
6
Replies
kostasthedelegate
Enthusiast

Logs of RA VPN

Hello, 

 

I have several profiles of RA VPN

In all of them I use the traffic filter option.

In addition, I have the "Bypass Access Control policy for decrypted traffic" ticked.

 

The problem I have is that I do not see the logs of VPN activity in the events. I only see some events to the broadcast IP or the Gateway IP of the VPN.

 

Is there sth I have to enable?

Or If the Events are not the place to see the activity of the VPN, where should I see it?

The extended access lists I use have the logging enabled.

 

Regards, 

Konstantinos

6 REPLIES 6
Aref Alsouqi
VIP Rising star

Can you share please the sanitised screenshots of how you configured the logging on the FMC?

Marius Gunnerud
VIP Advisor

I believe you can see these log in Devices > VPN > Troubleshooting

If you want these logs sent to a syslog server, you need to configure this under Platform Settings > Syslog > Logging

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_vpn_troubleshooting.html

 

--
Please remember to select a correct answer and rate helpful posts
kostasthedelegate
Enthusiast

Hello, 

The logs in Devices > VPN > Troubleshooting show only log off and log on actions. 

I have not seen any traffic related events.

Exactly what type of traffic related events are  you looking for?

There are a couple other places you can look.  Under Analysis > Users > Active Sessions provides info on the user, the AnyConnect client they are using, public IP, etc.

Under Analysis > Users > User Activity provides connection duration details, throughput, details, etc.

--
Please remember to select a correct answer and rate helpful posts
kostasthedelegate
Enthusiast

I would like to see the traffic allowed or blocked on a user

 

For example I have an access list on traffic filter that allows only RDP. 

This traffic was blocked and I could not see why. 

Where could I see that kind of traffic?

Hmm...I wonder if it is the "Bypass Access Control policy for decrypted traffic" that is the issue here.  I suggest, if possible, to create an ACP entry that matches your VPN traffic allowing what you want them to be able to reach on your inside network and enable logging on that entry.  You should then be able to see this traffic in connection events.

Otherwise, if that is not what you want, I do not believe it is possible to view the traffic other than what I posted earlier.

--
Please remember to select a correct answer and rate helpful posts
Create
Recognize Your Peers
Content for Community-Ad