Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1676
Views
0
Helpful
2
Replies

Anyconnect VPN Pool assigned address accounting

Go to solution
kmanning1
Level 1
Level 1

‎09-27-2017 09:23 AM - edited ‎03-12-2019 04:34 AM

Hi all,

 

I have a ASA5512 running 9.0(4) with remote access VPN enabled using Anyconnect. I have a server running TACACS.net version 1.3.2 for my AAA. 

 

My firewall has the below commands:

aaa-server NAME protocol tacacs+
aaa-server NAME (inside) host X.X.X.X
key akey

 

tunnel-group VPN general-attributes
accounting-server-group NAME

 

This works fine. I get the below accounting showing connects and disconnects:

Connect:
<102> 2017-08-30 01:27:30 [(firewall inside IP):58687] 08/30/2017 01:27:30 NAS_IP=(firewall inside IP) Port=864256 rem_addr=(user public IP) User=user1 Flags=Start task_id=aba0005d foreign_ip=(user public IP) local_ip=(firewall outside IP) service=shell

Disconnect:

<102> 2017-08-30 00:27:38 [(firewall inside IP):40024] 08/30/2017 00:27:38 NAS_IP=(firewall inside IP) Port=63521 rem_addr=(user public IP) User=user1 Flags=Stop task_id=aba0005d foreign_ip=(user public IP) local_ip=(firewall outside IP) service=shell elapsed_time=53507 bytes_in=129116256 bytes_out=1324313139 paks_in=1003690 paks_out=1559460 disc-cause=1

 

This has everything I need except one thing, the VPN Pool IP address  assigned to that user while they were connected.  Let's say VPN users are assigned an IP from 192.168.100.0/24 when connecting. And user1 was assigned 192.168.100.15 for a morning session and then user2 was later assigned 192.168.100.15 in the afternoon. I can see these when their connected with show vpn-sesssiondb. Is there any way to account for the VPN Pool IP assigned? I have been looking and looking and have found nothing to help answer this. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kmanning1
Level 1
Level 1
In response to Flavio Miranda

‎10-02-2017 10:38 AM

I am going to mark my own post as the answer. It doesn't appear this is capable with AAA accounting alone. I had to trap syslog event 722051 in order to get the IP assigned from the VPN IP pool. You would think that would be something they would add to accounting, but I suppose not. Maybe in a future release. If anyone else runs into this question, the only way to get the internal IP assigned from your VPN IP pool is through syslogging. It also shows the group policy they were assigned, which is helpful. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎09-27-2017 03:57 PM

Hi,

 

Take a look on this document: 

 

Configuring DHCP Accounting

 

https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbadhpca.pdf

0 Helpful

Go to solution
kmanning1
Level 1
Level 1
In response to Flavio Miranda

‎10-02-2017 10:38 AM

I am going to mark my own post as the answer. It doesn't appear this is capable with AAA accounting alone. I had to trap syslog event 722051 in order to get the IP assigned from the VPN IP pool. You would think that would be something they would add to accounting, but I suppose not. Maybe in a future release. If anyone else runs into this question, the only way to get the internal IP assigned from your VPN IP pool is through syslogging. It also shows the group policy they were assigned, which is helpful. 

0 Helpful
Customers Also Viewed These Support Documents