Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4978
Views
5
Helpful
2
Replies

AnyConnect Tracking Connections and Disconnections

Josh Adamson
Level 1
Level 1

‎03-01-2018 04:03 PM - edited ‎03-12-2019 05:04 AM

Hello,

 

I am trying to track when users connect to AnyConnect and also when they disconnect per a client request.  I know that the ASA will not show this history except for the current connections.  I have setup a syslog server and tried with message ID lists as well as class and only getting some logs when user disconnects.  Has anyone done this before or know the log ID to create the list?  I have tried searching the buffer as well to get the ID with no luck

 

Configuration below:

 

logging enable
logging timestamp
no logging hide username
logging list VPN_Connections message 722022
logging list VPN_Connections message 722023
logging list VPN_Connections message 722024
logging list VPN_Connections message 722021
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging trap VPN_Connections
logging asdm informational
logging host inside 10.0.20.7

 

and tried

 

logging enable
logging timestamp
no logging hide username
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging asdm informational
logging host inside 10.0.20.7
logging class auth trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging class svc trap informational

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎03-01-2018 06:00 PM

Hi

 

You should track the following syslog id 716001 and 716002

 

Take a look here: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs8.html#con_4776945

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Josh Adamson
Level 1
Level 1
In response to Francesco Molino

‎03-02-2018 08:16 AM

I tried these and for some reason did not send the message ID's to syslog server.  However, I did the following and get info I need with a little extra but think will work...

 

logging enable
logging timestamp
no logging hide username
logging list VPN level informational class vpnc
logging list VPN level informational class webvpn
logging list VPN level informational class svc
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging trap VPN
logging asdm informational
logging host inside 10.0.20.7

 

2018-03-02 08:03:30 Local4.Info 192.168.105.1 Mar 02 2018 08:03:30: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> UDP SVC connection terminated without compression
2018-03-02 08:03:30 Local4.Warning 192.168.105.1 Mar 02 2018 08:03:30: %ASA-4-722037: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> SVC closing connection: Transport closing.
2018-03-02 08:03:30 Local4.Info 192.168.105.1 Mar 02 2018 08:03:30: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection terminated without compression
2018-03-02 08:06:40 Local4.Warning 192.168.105.1 Mar 02 2018 08:06:40: %ASA-4-722041: TunnelGroup <VPN_TUNNEL> GroupPolicy <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> No IPv6 address available for SVC connection
2018-03-02 08:06:40 Local4.Notice 192.168.105.1 Mar 02 2018 08:06:40: %ASA-5-722033: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> First TCP SVC connection established for SVC session.
2018-03-02 08:06:40 Local4.Info 192.168.105.1 Mar 02 2018 08:06:40: %ASA-6-722022: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection established without compression
2018-03-02 08:06:40 Local4.Info 192.168.105.1 Mar 02 2018 08:06:40: %ASA-6-722055: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> Client Type: Cisco AnyConnect VPN Agent for Windows 4.5.02036
2018-03-02 08:06:40 Local4.Warning 192.168.105.1 Mar 02 2018 08:06:40: %ASA-4-722051: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> IPv4 Address <192.168.255.146> IPv6 address <::> assigned to session
2018-03-02 08:09:50 Local4.Info 192.168.105.1 Mar 02 2018 08:09:50: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> UDP SVC connection terminated without compression
2018-03-02 08:09:50 Local4.Warning 192.168.105.1 Mar 02 2018 08:09:50: %ASA-4-722037: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> SVC closing connection: Transport closing.
2018-03-02 08:09:50 Local4.Info 192.168.105.1 Mar 02 2018 08:09:50: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection terminated without compression

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents