Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
60843
Views
21
Helpful
16
Replies

How to log anyconnect sessions in syslog?

rarao_zealot
Level 1
Level 1

‎07-16-2016 04:59 AM - edited ‎02-21-2020 08:53 PM

I would like to know if it is possible to setup my ASA running 9.4 to log events from when my users connect and disconnect the anyconnect vpn client. There was a security issue with one of our remote systems and able to find who had that IP address but unable to find the user with MAC address with that IP address.

syslog# :

When user logs on: syslog# 716001

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

When user logs off: syslog# 716002

You might want to look through the list on syslog# 716xxx as they are all related to SSL VPN, you might be interested in some of them.

who had that IP address during that time.

The IP Pool is defined on the ASA as well, so it is nice to have the following information:

userID connected

userID disconnected

IP address associated with connection

I want to knew that, is there any possibility to find the syslog with details of IP address and MAC address of the specific user.Can anyone help me on this query as soon as possible.

Thanks & Regards,

Apparao.

2 people had this problem
Labels:
0 Helpful
16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-16-2016 10:19 AM

You won't get the MAC address of the remote access VPN client as the connection is layer 3 (IP-based) and not Layer 2.

You will get the user's remote public IP address and local IP address assigned to the user in a syslog message IDs 722041 and 722051. Like you see here (taken from my ASA):

4|Jul 16 2016 13:09:13|722041: TunnelGroup <DISYS-SSL> GroupPolicy <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <108.48.66.29> No IPv6 address available for SVC connection

4|Jul 16 2016 13:09:13|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <108.48.66.29> IPv4 Address <192.168.45.153> IPv6 address <::> assigned to session

You can raise those message IDs to a higher logging level (lower number like 2 or 3) and then only log that level of messages to your syslog server, making them very easy to see.

rarao_zealot
Level 1
Level 1
In response to Marvin Rhoads

‎07-17-2016 12:58 AM

Hi Marvin Rhoads,

I humbly thank you for your valuable reply. I am working as a network engineer for an reputed organization. Recently, I got an incident from of the user to suggest is there any possibility to get the alert or report of the user MAC address when the user connects and disconnects to Cisco AnyConnect vpn. From your reply I  confirmed that we can’t retrieve the MAC address from the syslog messages generated in ASA. Can you please help me how to retrieve the logs from the ASA, of different users who connects and disconnects to Cisco AnyConnect vpn. If you don’t mind, can you please elaborate me how can we proceed to get the logs of the users from ASA who are connected and disconnected to Cisco AnyConnect VPN.

Thanks & Regards,

Apparao.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rarao_zealot

‎07-17-2016 06:48 AM

rarao_zealot  

The logs are gathered using any of the standard methods. The configuration guide explains how in detail:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-syslog.html

The most common method is to direct them to an external syslog server where they can be easily archived and searched.

Here is an example of the logging settings from my ASA:

logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered notifications
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside <address of my syslog server>
0 Helpful

rarao_zealot
Level 1
Level 1
In response to Marvin Rhoads

‎07-18-2016 12:41 AM

Hi Marvin Rhoads,

Thanking you for spending your valuable time to give reply.Can you please confirm that there is no possibility to get the MAC addresses of the users who got connected and disconnected to the VPN connection was 100% correct.Regarding the configuring and retrieving the syslog messages from ASA has got an solution.But one more query, i got an request from the user with highest priority to suggest an solution for getting alert or report of the users  MAC Addresses who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN).Can you please confirm that there is no possibility to get alert or report of the user MAC addresses who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN) connection.

Thanks & Regards,

Appa Rao.

0 Helpful

Grizzelz
Level 1
Level 1
In response to Marvin Rhoads

‎07-19-2023 08:25 AM

Hi Marvin,

I have a similar issue with my firewall, it seems to be a volume issue.

If I get 235 Plus users to connect I don't get the syslog, if I get 12 people to connect I get the logs as expected.

Any thoughts on this one, rate limit is set as unlimited.

logging enable
logging timestamp
logging standby
logging buffered informational
logging trap informational
logging asdm debugging
logging facility 19
logging host Inside x.x.x.x
logging host management x.x.x.x
logging host management x.x.x.x
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
mtu management 1500
mtu PO1 1500
mtu Inside 1500

 

 

 

 

Kind Regards

 

 

 

0 Helpful

Grizzelz
Level 1
Level 1
In response to Grizzelz

‎07-20-2023 05:53 AM

@Marvin Rhoads Can you help with this one.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Grizzelz

‎07-20-2023 07:59 AM

@Grizzelz where are you looking at the logs? Console, logging host destination or "show log" in ssh session?

0 Helpful

Dina Odeh
Level 1
Level 1
In response to rarao_zealot

‎07-17-2016 10:25 PM

@rarao_zealot

You can  create a Logging list on the ASA with four messages that will give you:

 

  1. When user connect.
  2. The Public IP address the user is connecting from.
  3. The Username
  4. The Tunnel-group this user is connecting to.
  5. Time when user Disconnected.
  6. How long the user was connected.
  7. How many bytes RX and TX the user sent during the connection.
  8. The Private IP address assigned to the user.
  9. The reason of the disconnection.

 

Here is the example to obtain all this information:

 

  1. Create a logging list with the logging message ID:

 

 

logging list VPN-USER-DISCONNECT message 746012

logging list VPN-USER-DISCONNECT message 722051

logging list VPN-USER-DISCONNECT message 746013

logging list VPN-USER-DISCONNECT message 113019

 

 

  1. Apply the logging list to the method you want to generate the logs (buffered, trap, asdm, so on)

 

When you want to send them via a syslog server:

logging trap VPN-USER-DISCONNECT

logging host inside <ServerIPAddress>

When you want to store them on ASA buffer:

 logging buffered VPN-USER-DISCONNECT

 

  1. Enable logging and timestamp:

 

logging enable

logging timestamp

 

The result of that will be this for example:

Aug 19 2015 10:27:11: %ASA-7-746012: user-identity: Add IP-User mapping 10.10.10.1 - LOCAL\dina Succeeded - VPN user

Aug 19 2015 10:27:11: %ASA-4-722051: Group <DfltGrpPolicy> User <dina> IP <192.168.79.132> IPv4 Address <10.10.10.1> IPv6 address <::> assigned to session

Aug 19 2015 10:27:33: %ASA-7-746013: user-identity: Delete IP-User mapping 10.10.10.1 - LOCAL\dina Succeeded - VPN user logout

Aug 19 2015 10:27:33: %ASA-4-113019: Group = Teams_AAA, Username = dina, IP = 192.168.79.132, Session disconnected. Session Type: SSL, Duration: 0h:00m:27s, Bytes xmt: 11120, Bytes rcv: 3501, Reason: User Requested

See this as a reference: 

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html

rarao_zealot
Level 1
Level 1
In response to Dina Odeh

‎07-18-2016 12:20 AM

Hi Dina Odeh,

Thanking you humbly, for spending your valuable time to give answer.As per you answer for my query regarding configuring and retrieving syslog messages from the ASA, for the VPN connected and disconnected users has got a solution.One more query from my side that, as per Marvin Rhoads reply for the discussion on syslog messages with MAC address of the users who got connected and disconnected to the VPN, is there any possibility to get the syslog messages with MAC addresses of the users who got connected and disconnected to the VPN.Can you please answer to my query and confirm Marvin Rhoads answer for the my previous query was 100% correct.I got an request from the user with highest priority to suggest an solution to get the alert or report with Syslog messages of MAC addresses of users who got connected and disconnected to the VPN(Cisco AnyConnect SSL VPN).

Thanks & Regards,

Appa Rao.

0 Helpful

Dina Odeh
Level 1
Level 1
In response to rarao_zealot

‎07-18-2016 07:03 AM

Hi Appa, 

Yes, you cannot have the MAC address of the users in the ASA logs. 

Check if you can get it in the AAA server if you have authentication against AAA server like ACS and ISE. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dina Odeh

‎07-18-2016 08:32 AM

Confirming Dina's reply.

If you have a RADIUS AAA server you will indeed be able to retrieve the MAC address via the RADIUS accounting record. It is reported as one of many records among the CiscoAVPair section (AV = attribute-value).

Below is an example of part of the detailed accounting available via RADIUS (and NOT available on the ASA natively). In this case, I am using Cisco ISE as my RADIUS server. The "device-mac" shown below is the MAC address of my laptop's wireless network interface card. 

CiscoAVPair mdm-tlv=device-platform=win, mdm-tlv=device-mac=18-5e-0f-d0-b0-a6, mdm-tlv=device-platform-version=10.0.10586 , mdm-tlv=ac-user-agent=AnyConnect Windows 4.3.01095, mdm-tlv=device-type=HP HP Spectre x360 Convertible, mdm-tlv=device-uid=4514E677E0418BA60723441835B32036FE7A8CF3DEEC403C891BF632EC2136E7, audit-session-id=c0a8fe04000d5000578cf456, ip:source-ip=65.196.69.130, coa-push=true

rarao_zealot
Level 1
Level 1
In response to Marvin Rhoads

‎07-18-2016 11:57 AM

Thank you Marvin,

We are using RADIUS(FreeRADIUS) AAA server, can you please illustrate me how to mail the logs which include mac address to the user mail. Can you please tell us the configuration in the RADIUS.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rarao_zealot

‎07-18-2016 02:18 PM

I have no idea if the above is possible using FreeRADIUS.

Suggest you check your Free RADIUS logs to see if the information is even captured in its accounting records. If it is then go on over to the FreeRADIUS site and look for the answer there.

http://wiki.freeradius.org/Home#documentation

Or you could just buy Cisco ISE. :)

0 Helpful

Rodolfo Navero
Level 1
Level 1
In response to Dina Odeh

‎01-28-2022 06:31 AM

I performed this configuration, but I didn't see any logs being generated or sent to syslog server.

Is something missing?

 

###

logging list VPN-USER message 746012
logging list VPN-USER message 722051
logging list VPN-USER message 746013
logging list VPN-USER message 113019
logging trap VPN-USER
logging host MGNT X.X.X.X
logging buffered VPN-USER
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging facility 16
logging device-id hostname
logging debug-trace

0 Helpful
Customers Also Viewed These Support Documents