Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1501
Views
0
Helpful
1
Replies

722022/722023 Messages

Schwadca12891
Level 1
Level 1

‎01-20-2021 11:44 AM

Hey all,

Curious if anyone can shed some light on these ID's, as the ASA syslog encyclopedia isn't very insightful: 

Error Message %ASA-6-722022: Group group-name User user-name IP addr (TCP | UDP) connection established (with | without) compression

Error Message %ASA-6-722023: Group group User user-name IP IP_address SVC connection terminated {with|without} compression

 

What exactly do these mean? I'm trying to track users' VPN sessions (I've successfully tested and it appears ID's 113039 and 113019 are the best for providing accurate session info). The problem is, the 722* ID's listed above are extremely prominent in the logs. There are blocks of time -- we're talking a month or two for each user in which the only ID's I see are the 722* events--particularly the 722023 event. We have since tuned the ASA to prioritize the 113* ID's, but I'm trying to find a way to explain to management (and legal) why there are chunks of time that we're only seeing 722022/023 events. Are these just communications between agent and server? Any insight is HUGELY appreciated. 

Thanks!

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎01-20-2021 12:09 PM

Hi @Schwadca12891 

Message 722022 would coincide with a user login and 722023 would coincide with a user logoff/termination event, a debug of login/logoff events should confirm this.  These messages amongst others generated at the same time are normal events.

 

Unfortunately the docs don't provide much more information

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-722001-to-776020.html#con_4778854

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents