03-01-2018 04:03 PM - edited 03-12-2019 05:04 AM
Hello,
I am trying to track when users connect to AnyConnect and also when they disconnect per a client request. I know that the ASA will not show this history except for the current connections. I have setup a syslog server and tried with message ID lists as well as class and only getting some logs when user disconnects. Has anyone done this before or know the log ID to create the list? I have tried searching the buffer as well to get the ID with no luck
Configuration below:
logging enable
logging timestamp
no logging hide username
logging list VPN_Connections message 722022
logging list VPN_Connections message 722023
logging list VPN_Connections message 722024
logging list VPN_Connections message 722021
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging trap VPN_Connections
logging asdm informational
logging host inside 10.0.20.7
and tried
logging enable
logging timestamp
no logging hide username
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging asdm informational
logging host inside 10.0.20.7
logging class auth trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging class svc trap informational
03-01-2018 06:00 PM
Hi
You should track the following syslog id 716001 and 716002
Take a look here: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs8.html#con_4776945
03-02-2018 08:16 AM
I tried these and for some reason did not send the message ID's to syslog server. However, I did the following and get info I need with a little extra but think will work...
logging enable
logging timestamp
no logging hide username
logging list VPN level informational class vpnc
logging list VPN level informational class webvpn
logging list VPN level informational class svc
logging buffer-size 1048576
logging console informational
logging monitor informational
logging buffered informational
logging trap VPN
logging asdm informational
logging host inside 10.0.20.7
2018-03-02 08:03:30 Local4.Info 192.168.105.1 Mar 02 2018 08:03:30: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> UDP SVC connection terminated without compression
2018-03-02 08:03:30 Local4.Warning 192.168.105.1 Mar 02 2018 08:03:30: %ASA-4-722037: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> SVC closing connection: Transport closing.
2018-03-02 08:03:30 Local4.Info 192.168.105.1 Mar 02 2018 08:03:30: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection terminated without compression
2018-03-02 08:06:40 Local4.Warning 192.168.105.1 Mar 02 2018 08:06:40: %ASA-4-722041: TunnelGroup <VPN_TUNNEL> GroupPolicy <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> No IPv6 address available for SVC connection
2018-03-02 08:06:40 Local4.Notice 192.168.105.1 Mar 02 2018 08:06:40: %ASA-5-722033: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> First TCP SVC connection established for SVC session.
2018-03-02 08:06:40 Local4.Info 192.168.105.1 Mar 02 2018 08:06:40: %ASA-6-722022: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection established without compression
2018-03-02 08:06:40 Local4.Info 192.168.105.1 Mar 02 2018 08:06:40: %ASA-6-722055: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> Client Type: Cisco AnyConnect VPN Agent for Windows 4.5.02036
2018-03-02 08:06:40 Local4.Warning 192.168.105.1 Mar 02 2018 08:06:40: %ASA-4-722051: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> IPv4 Address <192.168.255.146> IPv6 address <::> assigned to session
2018-03-02 08:09:50 Local4.Info 192.168.105.1 Mar 02 2018 08:09:50: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> UDP SVC connection terminated without compression
2018-03-02 08:09:50 Local4.Warning 192.168.105.1 Mar 02 2018 08:09:50: %ASA-4-722037: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> SVC closing connection: Transport closing.
2018-03-02 08:09:50 Local4.Info 192.168.105.1 Mar 02 2018 08:09:50: %ASA-6-722023: Group <ANYCONNECT_POLICY> User <nocmon> IP <73.153.245.21> TCP SVC connection terminated without compression
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide