03-27-2012 06:56 AM - edited 03-11-2019 03:47 PM
Hi Guys,
I am analyzing cisco vpn logs, 113009 message id log contains the group name for that particualr user, when he logs out, 113019 log is sent, which has a different group name.
Can you tell me what is the difference between the two groups?
Thanks,
M.Viswesh.
Solved! Go to Solution.
03-27-2012 07:24 AM
Hi,
I think the syslog ID 113009 message refers to the Group Policy that was applied to the user
Syslog ID 113019 message seems to refer to the name of the tunnel-group name.
What device are the VPNs on and what software version?
- Jouni
03-27-2012 08:02 AM
Hi,
I'm not sure if the type of device and software matter but just wanted to make sure.
I'm not sure if I got the syslog ID right.
"tunnel-group" is the name of the connection.
With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.
The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key ThisIsThekey
For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):
tunnel-group REMOTE-USER-VPN-01 type ipsec-ra
tunnel-group REMOTE-USER-VPN-01 general-attributes
address-pool REMOTE-VPN-POOL
default-group-policy REMOTE-USER-VPN-01-GP
tunnel-group REMOTE-USER-VPN-01 ipsec-attributes
pre-shared-key ThisIsThekey
- Jouni
03-27-2012 08:42 AM
Hi,
The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.
show run group-policy displays all the group-policies configured on your ASA
The second messages group tells the name of the actual VPN profile/connection the user was using
show run tunnel-group displays all the tunnel-groups configured on your ASA
You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.
So,
portal2PROFILE = tunnel-group = VPN connections name
GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE
Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.
Please rate if it was any help
- Jouni
03-27-2012 07:24 AM
Hi,
I think the syslog ID 113009 message refers to the Group Policy that was applied to the user
Syslog ID 113019 message seems to refer to the name of the tunnel-group name.
What device are the VPNs on and what software version?
- Jouni
03-27-2012 07:46 AM
Jouni,
Thanks a lot Jouni. Whether the values depend on cisco model and software version?coz In our network, we have more than 10 firewalls(I dont know the versions used). I am analyzing the logs to create reports.
can you explain me what is a tunnel group name? Sorry for the basic questions.
Thanks in advance,
M.Viswesh
03-27-2012 08:02 AM
Hi,
I'm not sure if the type of device and software matter but just wanted to make sure.
I'm not sure if I got the syslog ID right.
"tunnel-group" is the name of the connection.
With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.
The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key ThisIsThekey
For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):
tunnel-group REMOTE-USER-VPN-01 type ipsec-ra
tunnel-group REMOTE-USER-VPN-01 general-attributes
address-pool REMOTE-VPN-POOL
default-group-policy REMOTE-USER-VPN-01-GP
tunnel-group REMOTE-USER-VPN-01 ipsec-attributes
pre-shared-key ThisIsThekey
- Jouni
03-27-2012 08:21 AM
Jouni the quick fire,
Thanks a lot man , i dont need L2L vpn, for remote client vpn, why the group name differs? let me post you the logs.
<166>Feb 21 2011 10:31:58 FO-ELD-ASA : %ASA-6-113009: AAA retrieved default group policy (GP-FTO-ELD-VPNGROUP) for user = dclem@gmail.com
<164>Feb 21 2011 11:47:14 FO-ELD-ASA : %ASA-4-113019: Group = portal2PROFILE, Username = dclem@gmail.com, IP = 67.xxx.108.162, Session disconnected. Session Type: SSL, Duration: 1h:15m:16s, Bytes xmt: 1831910, Bytes rcv: 365237, Reason: Idle Timeout.
In the above logs, which one i should take it as group? group is different for login and logout log.
Thanks in advance.
M.Viswesh
03-27-2012 08:42 AM
Hi,
The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.
show run group-policy displays all the group-policies configured on your ASA
The second messages group tells the name of the actual VPN profile/connection the user was using
show run tunnel-group displays all the tunnel-groups configured on your ASA
You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.
So,
portal2PROFILE = tunnel-group = VPN connections name
GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE
Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.
Please rate if it was any help
- Jouni
03-27-2012 10:55 PM
Jouni,
Thanks a lot. It helped a lot
03-27-2012 11:07 PM
Hi Jouni,
I see that 113011 message id log shows user specific group policy. what is the difference between these two log?
But i see they havee different name.
<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113011: AAA retrieved user specific group policy (AWA-VPN-GP02) for user = ktakepoochi
<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = ktakepoochi
Regards,
M.Viswesh.
03-27-2012 11:33 PM
Hi,
I'm not 100% sure but it seems to me that the username "ktakeuchi" has its own "group-policy" configured. If you check the username configurations under ASDM, you can see that you assing "group-policy" straight to the username.
You can also lock the username in question to some specific "tunnel-group".
I can't remember at the moment which setting overrides the other. I think there is certain order in which the "group-policy" rules are applied. I think the settings under "username" configurations apply. If the user didnt have the "group-policy" configured under his username, the "group-policy" configured under the tunnel-group/connection name that the person is using would be applied to the user.
As I said I'm not 100% sure Maybe someone can confirm/correct what I just wrote.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide