07-16-2016 04:59 AM - edited 02-21-2020 08:53 PM
I would like to know if it is possible to setup my ASA running 9.4 to log events from when my users connect and disconnect the anyconnect vpn client. There was a security issue with one of our remote systems and able to find who had that IP address but unable to find the user with MAC address with that IP address.
syslog# :
When user logs on: syslog# 716001
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913
When user logs off: syslog# 716002
You might want to look through the list on syslog# 716xxx as they are all related to SSL VPN, you might be interested in some of them.
who had that IP address during that time.
The IP Pool is defined on the ASA as well, so it is nice to have the following information:
userID connected
userID disconnected
IP address associated with connection
I want to knew that, is there any possibility to find the syslog with details of IP address and MAC address of the specific user.Can anyone help me on this query as soon as possible.
Thanks & Regards,
Apparao.
07-16-2016 10:19 AM
You won't get the MAC address of the remote access VPN client as the connection is layer 3 (IP-based) and not Layer 2.
You will get the user's remote public IP address and local IP address assigned to the user in a syslog message IDs 722041 and 722051. Like you see here (taken from my ASA):
4|Jul 16 2016 13:09:13|722041: TunnelGroup <DISYS-SSL> GroupPolicy <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <108.48.66.29> No IPv6 address available for SVC connection
4|Jul 16 2016 13:09:13|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <108.48.66.29> IPv4 Address <192.168.45.153> IPv6 address <::> assigned to session
You can raise those message IDs to a higher logging level (lower number like 2 or 3) and then only log that level of messages to your syslog server, making them very easy to see.
07-17-2016 12:58 AM
Hi Marvin Rhoads,
I humbly thank you for your valuable reply. I am working as a network engineer for an reputed organization. Recently, I got an incident from of the user to suggest is there any possibility to get the alert or report of the user MAC address when the user connects and disconnects to Cisco AnyConnect vpn. From your reply I confirmed that we can’t retrieve the MAC address from the syslog messages generated in ASA. Can you please help me how to retrieve the logs from the ASA, of different users who connects and disconnects to Cisco AnyConnect vpn. If you don’t mind, can you please elaborate me how can we proceed to get the logs of the users from ASA who are connected and disconnected to Cisco AnyConnect VPN.
Thanks & Regards,
Apparao.
07-17-2016 06:48 AM
The logs are gathered using any of the standard methods. The configuration guide explains how in detail:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-syslog.html
The most common method is to direct them to an external syslog server where they can be easily archived and searched.
Here is an example of the logging settings from my ASA:
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered notifications
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside <address of my syslog server>
07-18-2016 12:41 AM
Hi Marvin Rhoads,
Thanking you for spending your valuable time to give reply.Can you please confirm that there is no possibility to get the MAC addresses of the users who got connected and disconnected to the VPN connection was 100% correct.Regarding the configuring and retrieving the syslog messages from ASA has got an solution.But one more query, i got an request from the user with highest priority to suggest an solution for getting alert or report of the users MAC Addresses who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN).Can you please confirm that there is no possibility to get alert or report of the user MAC addresses who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN) connection.
Thanks & Regards,
Appa Rao.
07-19-2023 08:25 AM
Hi Marvin,
I have a similar issue with my firewall, it seems to be a volume issue.
If I get 235 Plus users to connect I don't get the syslog, if I get 12 people to connect I get the logs as expected.
Any thoughts on this one, rate limit is set as unlimited.
logging enable
logging timestamp
logging standby
logging buffered informational
logging trap informational
logging asdm debugging
logging facility 19
logging host Inside x.x.x.x
logging host management x.x.x.x
logging host management x.x.x.x
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
mtu management 1500
mtu PO1 1500
mtu Inside 1500
Kind Regards
07-20-2023 05:53 AM
@Marvin Rhoads Can you help with this one.
07-20-2023 07:59 AM
@Grizzelz where are you looking at the logs? Console, logging host destination or "show log" in ssh session?
07-17-2016 10:25 PM
@rarao_zealot
You can create a Logging list on the ASA with four messages that will give you:
Here is the example to obtain all this information:
logging list VPN-USER-DISCONNECT message 746012
logging list VPN-USER-DISCONNECT message 722051
logging list VPN-USER-DISCONNECT message 746013
logging list VPN-USER-DISCONNECT message 113019
When you want to send them via a syslog server:
logging trap VPN-USER-DISCONNECT
logging host inside <ServerIPAddress>
When you want to store them on ASA buffer:
logging buffered VPN-USER-DISCONNECT
logging enable
logging timestamp
The result of that will be this for example:
Aug 19 2015 10:27:11: %ASA-7-746012: user-identity: Add IP-User mapping 10.10.10.1 - LOCAL\dina Succeeded - VPN user
Aug 19 2015 10:27:11: %ASA-4-722051: Group <DfltGrpPolicy> User <dina> IP <192.168.79.132> IPv4 Address <10.10.10.1> IPv6 address <::> assigned to session
Aug 19 2015 10:27:33: %ASA-7-746013: user-identity: Delete IP-User mapping 10.10.10.1 - LOCAL\dina Succeeded - VPN user logout
Aug 19 2015 10:27:33: %ASA-4-113019: Group = Teams_AAA, Username = dina, IP = 192.168.79.132, Session disconnected. Session Type: SSL, Duration: 0h:00m:27s, Bytes xmt: 11120, Bytes rcv: 3501, Reason: User Requested
See this as a reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html
07-18-2016 12:20 AM
Hi Dina Odeh,
Thanking you humbly, for spending your valuable time to give answer.As per you answer for my query regarding configuring and retrieving syslog messages from the ASA, for the VPN connected and disconnected users has got a solution.One more query from my side that, as per Marvin Rhoads reply for the discussion on syslog messages with MAC address of the users who got connected and disconnected to the VPN, is there any possibility to get the syslog messages with MAC addresses of the users who got connected and disconnected to the VPN.Can you please answer to my query and confirm Marvin Rhoads answer for the my previous query was 100% correct.I got an request from the user with highest priority to suggest an solution to get the alert or report with Syslog messages of MAC addresses of users who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN).
Thanks & Regards,
Appa Rao.
07-18-2016 07:03 AM
Hi Appa,
Yes, you cannot have the MAC address of the users in the ASA logs.
Check if you can get it in the AAA server if you have authentication against AAA server like ACS and ISE.
07-18-2016 08:32 AM
Confirming Dina's reply.
If you have a RADIUS AAA server you will indeed be able to retrieve the MAC address via the RADIUS accounting record. It is reported as one of many records among the CiscoAVPair section (AV = attribute-value).
Below is an example of part of the detailed accounting available via RADIUS (and NOT available on the ASA natively). In this case, I am using Cisco ISE as my RADIUS server. The "device-mac" shown below is the MAC address of my laptop's wireless network interface card.
CiscoAVPair | mdm-tlv=device-platform=win, mdm-tlv=device-mac=18-5e-0f-d0-b0-a6, mdm-tlv=device-platform-version=10.0.10586 , mdm-tlv=ac-user-agent=AnyConnect Windows 4.3.01095, mdm-tlv=device-type=HP HP Spectre x360 Convertible, mdm-tlv=device-uid=4514E677E0418BA60723441835B32036FE7A8CF3DEEC403C891BF632EC2136E7, audit-session-id=c0a8fe04000d5000578cf456, ip:source-ip=65.196.69.130, coa-push=true |
07-18-2016 11:57 AM
Thank you Marvin,
We are using RADIUS(FreeRADIUS) AAA server, can you please illustrate me how to mail the logs which include mac address to the user mail. Can you please tell us the configuration in the RADIUS.
07-18-2016 02:18 PM
I have no idea if the above is possible using FreeRADIUS.
Suggest you check your Free RADIUS logs to see if the information is even captured in its accounting records. If it is then go on over to the FreeRADIUS site and look for the answer there.
http://wiki.freeradius.org/Home#documentation
Or you could just buy Cisco ISE. :)
01-28-2022 06:31 AM
I performed this configuration, but I didn't see any logs being generated or sent to syslog server.
Is something missing?
###
logging list VPN-USER message 746012
logging list VPN-USER message 722051
logging list VPN-USER message 746013
logging list VPN-USER message 113019
logging trap VPN-USER
logging host MGNT X.X.X.X
logging buffered VPN-USER
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging facility 16
logging device-id hostname
logging debug-trace
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide