cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
170
Views
0
Helpful
1
Replies
Highlighted
Beginner

722022/722023 Messages

Hey all,

Curious if anyone can shed some light on these ID's, as the ASA syslog encyclopedia isn't very insightful: 

Error Message %ASA-6-722022: Group group-name User user-name IP addr (TCP | UDP) connection established (with | without) compression

Error Message %ASA-6-722023: Group group User user-name IP IP_address SVC connection terminated {with|without} compression

 

What exactly do these mean? I'm trying to track users' VPN sessions (I've successfully tested and it appears ID's 113039 and 113019 are the best for providing accurate session info). The problem is, the 722* ID's listed above are extremely prominent in the logs. There are blocks of time -- we're talking a month or two for each user in which the only ID's I see are the 722* events--particularly the 722023 event. We have since tuned the ASA to prioritize the 113* ID's, but I'm trying to find a way to explain to management (and legal) why there are chunks of time that we're only seeing 722022/023 events. Are these just communications between agent and server? Any insight is HUGELY appreciated. 

Thanks!

 

1 REPLY 1
Highlighted
VIP Mentor

Hi @Schwadca12891 

Message 722022 would coincide with a user login and 722023 would coincide with a user logoff/termination event, a debug of login/logoff events should confirm this.  These messages amongst others generated at the same time are normal events.

 

Unfortunately the docs don't provide much more information

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-722001-to-776020.html#con_4778854

Content for Community-Ad