cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
399
Views
5
Helpful
7
Replies
ryan14
Beginner

FMC intrusion event Anyconnect

Hello,

 

Is there a setting to change for an alert to get notified for a brute force login attempts to ravpn/anyconnect via the FMC?

7 REPLIES 7
Cristian Matei
VIP Collaborator

Hi,

 

    When the user/client fails authentication, you'll get a message of "%ASA-6-611102: User authentication failed. 

 

Regards,

Cristian Matei.

Right, so there is no way to send that or trigger an alert message via fmc?

are you using ASA with sfr sensor. or you using FTD?

with ASA sfr sensor I am afraid you cant setup the alert on FMC. its only set up on ASA and could get a syslog message as @Cristian Matei mentioned.

 

however, if you using FTD than yes. you can configure the logging/alerts setup.

please do not forget to rate.

I'm using FMC to manage my FTD appliances. They are not running in ASA mode.

Here this is how you confiFTD_SYSLOG.PNGgure it.

please do not forget to rate.

Thanks, I just got around to testing this. I might open a case with tac. I tried the recommended filter and was not getting anything in my syslog. I deleted the filter, then just send anything informational to my syslog then I started to see the logs roll in. I tried some failed logins to my vpn, but I am not seeing them come in via syslog. If I grep for 611102, nothing shows up.

The correct logging event is %ASA-6-113005.

 

There appears to be a bug where it doesn't show the username. But this is what I am looking for to monitor failed anyconnect login attempts.

 

https://networkengineering.stackexchange.com/questions/9620/cisco-vpn-logs-do-not-show-the-username

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj62974

Content for Community-Ad