Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
1
Helpful
6
Replies

Show applied dap policies in FTD

carl_townshend
Spotlight
Spotlight

‎01-03-2025 03:27 AM

Hi All

Does anyone know if its possible to see what DAP policies or ACLSs are applied to a Remote access VPN session on the FTD?

We can do it on the ASDM on our ASA, but where can we find this info on the FTD?

Cheers

6 Replies 6

Rob Ingram
VIP
VIP

‎01-03-2025 03:32 AM - edited ‎01-03-2025 03:59 AM

@carl_townshend To see what was applied to an actual user session, the "Remote Access VPN Dashboard" on the FMC may display this information (I don't have access to confirm). Else from the FTD CLI run "show vpn-sessiondb detail anyconnect" and filter on the user to see what has been applied.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Rob Ingram

‎01-03-2025 04:23 AM

Hi Rob

I just tried that command on my ASA and it does not show you the DAP records applied.

0 Helpful

Rob Ingram
VIP
VIP
In response to carl_townshend

‎01-03-2025 04:37 AM

@carl_townshend For example, if you assign an ACL via the DAP, this will appear as "Filter Name: <name of ACL>" when you look at the session using the "show vpn-sessiondb detail anyconnect " command. Example of that scenario here - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200238-ASA-VPN-posture-with-CSD-DAP-and-AnyCon.html

 

0 Helpful

carl_townshend
Spotlight
Spotlight

‎01-03-2025 04:44 AM

We just get the below

There is no such ACL as DAP-ip-user-60A28A09 on our ASA.

SSL-Tunnel:
Tunnel ID : 1237.2
Assigned IP : x.x.x.x Public IP : x.x.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 51761
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 720 Minutes Conn TO Left : 469 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.04065
Bytes Tx : 11198 Bytes Rx : 894
Pkts Tx : 18 Pkts Rx : 17
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : DAP-ip-user-60A28A09

0 Helpful

MHM Cisco World
VIP
VIP
In response to carl_townshend

‎01-03-2025 04:56 AM

debug dap trace <<- use this debug to check if Server send DAP or not and what is name of DAP 

MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-03-2025 05:13 AM - edited ‎01-03-2025 05:14 AM

I believe you can only get these via a DART file (from the client) or from a debug (on FTD headend). The LINA engine in FTD handles DAP pretty much the same as an ASA does, so the following article (old but mostly relevant) may help:

https://community.cisco.com/t5/security-knowledge-base/information-to-acquire-for-dap-troubleshooting/ta-p/3145426

The RA VPN dashboard or show command mentioned by @Rob Ingram unfortunately do not reveal this info. See sample output from the show command here (see Step 6):

https://docs.defenseorchestrator.com/t_verify-remote-access-vpn-configuration-of-asa.html

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card