Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3174
Views
6
Helpful
8
Replies

Logs of RA VPN

kostasthedelegate
Level 4
Level 4

‎10-12-2020 05:21 AM - edited ‎10-12-2020 05:22 AM

Hello, 

 

I have several profiles of RA VPN

In all of them I use the traffic filter option.

In addition, I have the "Bypass Access Control policy for decrypted traffic" ticked.

 

The problem I have is that I do not see the logs of VPN activity in the events. I only see some events to the broadcast IP or the Gateway IP of the VPN.

 

Is there sth I have to enable?

Or If the Events are not the place to see the activity of the VPN, where should I see it?

The extended access lists I use have the logging enabled.

 

Regards, 

Konstantinos

0 Helpful
8 Replies 8

Aref Alsouqi
VIP
VIP

‎10-12-2020 11:33 AM

Can you share please the sanitised screenshots of how you configured the logging on the FMC?

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-13-2020 01:07 AM

I believe you can see these log in Devices > VPN > Troubleshooting

If you want these logs sent to a syslog server, you need to configure this under Platform Settings > Syslog > Logging

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_vpn_troubleshooting.html

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

kostasthedelegate
Level 4
Level 4

‎10-13-2020 01:52 AM

Hello, 

The logs in Devices > VPN > Troubleshooting show only log off and log on actions. 

I have not seen any traffic related events.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to kostasthedelegate

‎10-13-2020 02:08 AM

Exactly what type of traffic related events are  you looking for?

There are a couple other places you can look.  Under Analysis > Users > Active Sessions provides info on the user, the AnyConnect client they are using, public IP, etc.

Under Analysis > Users > User Activity provides connection duration details, throughput, details, etc.

--
Please remember to select a correct answer and rate helpful posts

alex.f.
Level 1
Level 1
In response to Marius Gunnerud

‎04-05-2024 10:41 PM

hi,

do I have some kind of log on the ftd it self?

I am looking for some VPN activities of the last 48 hours.

0 Helpful

MHM Cisco World
VIP
VIP
In response to alex.f.

‎04-05-2024 11:50 PM

Make new post it better 

MHM

0 Helpful

kostasthedelegate
Level 4
Level 4

‎10-13-2020 02:13 AM

I would like to see the traffic allowed or blocked on a user

 

For example I have an access list on traffic filter that allows only RDP. 

This traffic was blocked and I could not see why. 

Where could I see that kind of traffic?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to kostasthedelegate

‎10-13-2020 03:17 AM

Hmm...I wonder if it is the "Bypass Access Control policy for decrypted traffic" that is the issue here.  I suggest, if possible, to create an ACP entry that matches your VPN traffic allowing what you want them to be able to reach on your inside network and enable logging on that entry.  You should then be able to see this traffic in connection events.

Otherwise, if that is not what you want, I do not believe it is possible to view the traffic other than what I posted earlier.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card