cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3024
Views
5
Helpful
6
Replies

Logs of RA VPN

Hello, 

 

I have several profiles of RA VPN

In all of them I use the traffic filter option.

In addition, I have the "Bypass Access Control policy for decrypted traffic" ticked.

 

The problem I have is that I do not see the logs of VPN activity in the events. I only see some events to the broadcast IP or the Gateway IP of the VPN.

 

Is there sth I have to enable?

Or If the Events are not the place to see the activity of the VPN, where should I see it?

The extended access lists I use have the logging enabled.

 

Regards, 

Konstantinos

6 Replies 6

Can you share please the sanitised screenshots of how you configured the logging on the FMC?

I believe you can see these log in Devices > VPN > Troubleshooting

If you want these logs sent to a syslog server, you need to configure this under Platform Settings > Syslog > Logging

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_vpn_troubleshooting.html

 

--
Please remember to select a correct answer and rate helpful posts

Hello, 

The logs in Devices > VPN > Troubleshooting show only log off and log on actions. 

I have not seen any traffic related events.

Exactly what type of traffic related events are  you looking for?

There are a couple other places you can look.  Under Analysis > Users > Active Sessions provides info on the user, the AnyConnect client they are using, public IP, etc.

Under Analysis > Users > User Activity provides connection duration details, throughput, details, etc.

--
Please remember to select a correct answer and rate helpful posts

I would like to see the traffic allowed or blocked on a user

 

For example I have an access list on traffic filter that allows only RDP. 

This traffic was blocked and I could not see why. 

Where could I see that kind of traffic?

Hmm...I wonder if it is the "Bypass Access Control policy for decrypted traffic" that is the issue here.  I suggest, if possible, to create an ACP entry that matches your VPN traffic allowing what you want them to be able to reach on your inside network and enable logging on that entry.  You should then be able to see this traffic in connection events.

Otherwise, if that is not what you want, I do not believe it is possible to view the traffic other than what I posted earlier.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: