Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
40010
Views
20
Helpful
7
Replies

[Question] How to log anyconnect sessions in syslog?

Go to solution
Jeffrey Warn
Level 1
Level 1

‎08-23-2011 01:15 PM - edited ‎02-21-2020 05:32 PM

I would like to know if it is possible to setup my ASA running 8.2 to log events from when my users log on and off the anyconnect client. There was a security issue with one of our remote systems and it has been impossible to try and determine who had that IP address during that time.

The IP Pool is defined on the ASA as well, so it would be nice to have the following information:

userID connected

userID disconnected

IP address associated with connection

Currently I have my logging set up as follows:

logging enable
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap informational
logging history informational
logging asdm informational
logging queue 3170
logging host inside 10.1.1.1
no logging message 106006
no logging message 710005

Thanks!

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jeffrey Warn

‎08-24-2011 06:43 AM

This is what you are looking for for SVC:

722051 

Error Message    %ASA-6-722051: Group group-policy User username IP public-ip Address 
assigned-ip assigned to session

Explanation    The specified address has been assigned to the given user.

group-policy—The group policy that allowed the user to gain access

username—The name of the user

public-ip—The public IP address of the connected client

assigned-ip—The IP address that is assigned to the client

View solution in original post

7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-23-2011 04:55 PM

Here is the syslog# that you are looking for:

When user logs on: syslog# 716001

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

When user logs off: syslog# 716002

You might want to look through the list on syslog# 716xxx as they are all related to SSL VPN, you might be interested in some of them.

Hope this helps.

Go to solution
wayne.rossetto
Level 1
Level 1
In response to Jennifer Halim

‎08-23-2011 05:50 PM

How would you do this for IOS Router Based SSLVPN's?

Cheers

Wayne

0 Helpful

Go to solution
Jeffrey Warn
Level 1
Level 1
In response to Jennifer Halim

‎08-24-2011 06:25 AM

Thanks. The 722# ones apply to the SVC stuff as well. Unfortunately, it's still limited in it's usefulness. While it does show the userID connected, it shows the external IP address associated with it. I still can't seem to find a way to correlate the active SVC connection for the user to the assigned IP address from the pool.

I guess it would be nice to have a line something like:

user SVC connection terminated. P-IP 1.1.1.1 A-IP 10.1.1.1 duration 3:30:15 xmit 45456464 recv 35343242

Sort of like a summary line. Another big issue with the logging is that when a user resumes the connection, it doesn't specifiy the userID , just the Public IP, so you would have to dig back into logs to try and figure out who that public IP belongs to.

At the end of the day, just knowing who had what assigned IP at a given time is what really matters. I'll poke around to see if I can find any DHCP/IP pool related logging.

Update: I found this entry, but it doesn't seem to apply to SVC/WebVPN:

Error Message    %ASA-6-713228: Group = group, Username = uname, IP = remote_IP_address 
Assigned private IP address assigned_private_IP to remote user

Explanation    This message is generated when IKE obtains an address for the client private IP address from DHCP or from the address pool. The message specifies the IP address assigned to the client.

group—The name of the group

uname—The name of the user

remote_IP_address—The IP address of the remote client

assigned_private_IP—The client IP address assigned by DHCP or from the local address pool

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jeffrey Warn

‎08-24-2011 06:43 AM

This is what you are looking for for SVC:

722051 

Error Message    %ASA-6-722051: Group group-policy User username IP public-ip Address 
assigned-ip assigned to session

Explanation    The specified address has been assigned to the given user.

group-policy—The group policy that allowed the user to gain access

username—The name of the user

public-ip—The public IP address of the connected client

assigned-ip—The IP address that is assigned to the client

Go to solution
athukral
Level 1
Level 1

‎08-24-2011 09:59 PM

Hello Jeffrey,

Hope you must be doing fine!

Well  please mark the query answered and rate the same, if you  got the information you were  looking for.

Thanks

Ankur Thukral

Community  Manager- Security & VPN

athukral@cisco.com

0 Helpful

Go to solution
Jeffrey Warn
Level 1
Level 1

‎08-25-2011 07:46 AM

Just a follow up. While the correct eventID does work, one issue that i've found is that when a user resumes a connection, they tend to get a new IP address from the pool and this is not logged. The actual log line looks something like this:

%ASA-6-725003: SSL client outside:x.x.x.x/59510 request to resume previous session.

I do see a log line with the eventID as:  ASA-4-113019 which is almost what I am looking for. Just it doesn't include the assigned IP address:

%ASA-4-113019: Group = GROUPNAME, Username = myusername, IP = 1.1.1.1, Session disconnected. Session Type: SSL, Duration: 0h:30m:34s, Bytes xmt: 1908538, Bytes rcv: 14370, Reason: Idle Timeout

Thanks for all your help on this, I'll just have to look towards other methods to try and correlate the logs.

0 Helpful

Go to solution
edondurguti
Level 4
Level 4

‎08-28-2013 11:06 AM

is there a way to add duration to this or create custom syslog ids?

I need :

duration—Connection duration in hours,        minutes, and seconds    

group-policy—The group policy that allowed the user to gain access

#

username—The name of the user

#

0 Helpful
Customers Also Viewed These Support Documents