Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
24247
Views
10
Helpful
1
Comments

Logging VPN events on Cisco IOS and ASA

rvarelac
Level 7
Level 7

on ‎07-12-2015 06:25 PM

System logging is a method of collecting messages from devices to a server or  local on the device (logging buffer)

 

ASA VPN Logging

Logging class commands help us to segregate the specific logs we want to trap , they could be sent to the ASDM , Console , buffered , monitor , or to an external server.

Logging timestamp: Add a timestamp  on the logs.

Logging class ca: Useful for certificate authentication problems on Site-to-Site and Anyconnect.

Logging class csd: Logs the events  related to the Cisco Secure Desktop and Hostscan.

Logging class DAP: Logs the events related to the Dynamic Access Policy for the VPN client.

Logging class svc: Logs events related  to Anyconnect connections.
    
Logging class vpdn: Logs events related to PPTP and L2TP.

Logging class vpn: Logs events related to the isakmp and ipsec process.

Logging class vpnc: Logs events related to the VPN IPSEC client.

Logging class vpnfo: Logs events related to the VPN in a failover environment.

Logging class vpnlb: Logs events related to the VPN in a load balance environment.

Logging class webfo: Logs events related to the webvpn in a failover environment.

Logging class webvpn: Logs events related to the webvpn process.

Logging class auth: Useful to check the AAA logs  of the VPN clients.


Example of the use of the command:

ciscoasa(config)# logging class csd asdm  ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)


Router VPN logging:

service timestamps debug datetime msec: Add a timestamp in microseconds to the debugs


service timestamps log datetime msec: Add a timestamp in microseconds to the logs.

Logging dmvpn:  Logs events related to  DMVPN .

Crypto logging ezvpn: Logs events related to the EZVPN connections.

Crypto logging  ikev2:  Logs events related to the IKEV2 sessions.

Crypto logging session: Logs events related to up/down  status of the ipsec tunnels.

 

If you need more information on the router you can enable the following debugs:

 

  •         debug crypto isakmp
  •         debug crypto isakmp error
  •         debug crypto isakmp ha          
  •         debug crypto ipsec      
  •         debug crypto ipsec error         
  •         debug crypto routing       
  •         debug crypto ha        
  •         debug crypto engine error      
  •         debug crypto engine packet

 

Hope it helps

- Randy -

Labels:
Comments
alvanorichie
Level 1
Level 1
‎07-27-2015 12:56 AM

I am having issues with consistent field extraction using the cisco:asa sourcetype. The fields are very inconsistently parsed, many times making 4 or 5 events out of a single event, even separating a line in the middle of a word.

I am currently accepting syslog for these devices using rsyslog, and I am monitoring the file generated for the specific device on the local filesystem. I am running version 3.2.0 of the Splunk Add-on for Cisco ASA. I am running version 3.0.3 of Cisco Security Suite. Am I missing something? VPN is Express

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents