ā09-27-2017 09:23 AM - edited ā03-12-2019 04:34 AM
Hi all,
I have a ASA5512 running 9.0(4) with remote access VPN enabled using Anyconnect. I have a server running TACACS.net version 1.3.2 for my AAA.
My firewall has the below commands:
aaa-server NAME protocol tacacs+
aaa-server NAME (inside) host X.X.X.X
key akey
tunnel-group VPN general-attributes
accounting-server-group NAME
This works fine. I get the below accounting showing connects and disconnects:
Connect:
<102> 2017-08-30 01:27:30 [(firewall inside IP):58687] 08/30/2017 01:27:30 NAS_IP=(firewall inside IP) Port=864256 rem_addr=(user public IP) User=user1 Flags=Start task_id=aba0005d foreign_ip=(user public IP) local_ip=(firewall outside IP) service=shell
Disconnect:
<102> 2017-08-30 00:27:38 [(firewall inside IP):40024] 08/30/2017 00:27:38 NAS_IP=(firewall inside IP) Port=63521 rem_addr=(user public IP) User=user1 Flags=Stop task_id=aba0005d foreign_ip=(user public IP) local_ip=(firewall outside IP) service=shell elapsed_time=53507 bytes_in=129116256 bytes_out=1324313139 paks_in=1003690 paks_out=1559460 disc-cause=1
This has everything I need except one thing, the VPN Pool IP address assigned to that user while they were connected. Let's say VPN users are assigned an IP from 192.168.100.0/24 when connecting. And user1 was assigned 192.168.100.15 for a morning session and then user2 was later assigned 192.168.100.15 in the afternoon. I can see these when their connected with show vpn-sesssiondb. Is there any way to account for the VPN Pool IP assigned? I have been looking and looking and have found nothing to help answer this.
Solved! Go to Solution.
ā10-02-2017 10:38 AM
I am going to mark my own post as the answer. It doesn't appear this is capable with AAA accounting alone. I had to trap syslog event 722051 in order to get the IP assigned from the VPN IP pool. You would think that would be something they would add to accounting, but I suppose not. Maybe in a future release. If anyone else runs into this question, the only way to get the internal IP assigned from your VPN IP pool is through syslogging. It also shows the group policy they were assigned, which is helpful.
ā09-27-2017 03:57 PM
Hi,
Take a look on this document:
Configuring DHCP Accounting
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbadhpca.pdf
ā10-02-2017 10:38 AM
I am going to mark my own post as the answer. It doesn't appear this is capable with AAA accounting alone. I had to trap syslog event 722051 in order to get the IP assigned from the VPN IP pool. You would think that would be something they would add to accounting, but I suppose not. Maybe in a future release. If anyone else runs into this question, the only way to get the internal IP assigned from your VPN IP pool is through syslogging. It also shows the group policy they were assigned, which is helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide