cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
218
Views
0
Helpful
7
Replies
Beginner

FMC intrusion event Anyconnect

Hello,

 

Is there a setting to change for an alert to get notified for a brute force login attempts to ravpn/anyconnect via the FMC?

Everyone's tags (2)
7 REPLIES 7
Highlighted
Rising star

Re: FMC intrusion event Anyconnect

Hi,

 

    When the user/client fails authentication, you'll get a message of "%ASA-6-611102: User authentication failed. 

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: FMC intrusion event Anyconnect

Right, so there is no way to send that or trigger an alert message via fmc?

Highlighted
VIP Engager

Re: FMC intrusion event Anyconnect

are you using ASA with sfr sensor. or you using FTD?

with ASA sfr sensor I am afraid you cant setup the alert on FMC. its only set up on ASA and could get a syslog message as @Cristian Matei mentioned.

 

however, if you using FTD than yes. you can configure the logging/alerts setup.

please do not forget to rate.
Highlighted
Beginner

Re: FMC intrusion event Anyconnect

I'm using FMC to manage my FTD appliances. They are not running in ASA mode.

Highlighted
VIP Engager

Re: FMC intrusion event Anyconnect

Here this is how you confiFTD_SYSLOG.PNGgure it.

please do not forget to rate.
Highlighted
Beginner

Re: FMC intrusion event Anyconnect

Thanks, I just got around to testing this. I might open a case with tac. I tried the recommended filter and was not getting anything in my syslog. I deleted the filter, then just send anything informational to my syslog then I started to see the logs roll in. I tried some failed logins to my vpn, but I am not seeing them come in via syslog. If I grep for 611102, nothing shows up.

Highlighted
Beginner

Re: FMC intrusion event Anyconnect

The correct logging event is %ASA-6-113005.

 

There appears to be a bug where it doesn't show the username. But this is what I am looking for to monitor failed anyconnect login attempts.

 

https://networkengineering.stackexchange.com/questions/9620/cisco-vpn-logs-do-not-show-the-username

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj62974