Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
591
Views
0
Helpful
1
Replies

How to log applied ACLs when a AnyConnect user connects

debbiebeitler
Level 1
Level 1

‎09-29-2023 10:26 AM

Having trouble logging which ACLs are applied when an AnyConnect user connects to the ASA.

When a user matches more than a single DAP, the ASA logs show which ACLs are applied.

"User 'aaa-acl' executed the access-list...."

When a user only matches a single DAP, No 'aaa-acl' entries.

For one DAP in particular, it logs differently: Group xxx user yyy IP zzz User ACL xxx from AAA ignored, AV-PAIR ACL used instead

The configurations of the DAPs appear to be the same.  Don't know why one references an AV-PAIR.

If the user matches that same DAP, and at least one more, the 'aaa-acl' log entries are made.

Need a consistent way to log, or somehow troubleshoot ACL issues.  Regardless of how many DAP matches a user might match.

Labels:
0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎10-03-2023 09:22 AM

To log Access Control Lists (ACLs) when an AnyConnect user connects to ASA, you can configure syslog messages to be sent to a syslog server. Here are the steps to configure this:

1. Enable logging:
- Use the command `logging enable` to enable the transmission of syslog messages to all output locations.

2. Specify the syslog server:
- Use the command `logging host interface_name ip_address [tcp[/port] | udp[/port]]` to specify the syslog server's IP address and the desired protocol (TCP or UDP) and port.
- Example: `logging host inside 172.22.1.5 udp/514`

3. Set the logging severity level:
- Use the command `logging trap severity_level` to specify the severity level of the logs to be sent to the syslog server.
- Example: `logging trap informational`

4. Add ACL logging:
- To log ACL hits, add the `log` option to each access list element (ACE) you want to log.
- Example: `access-list 101 line 1 extended permit icmp any any log`

5. Verify the configuration:
- Use the command `show logging` to view the syslog buffer contents and verify that syslog messages are being sent to the syslog server.

Note: Make sure the syslog server is reachable from the ASA and properly configured to receive logs. This should help you troubleshoot any issues by providing a consistent record of ACLs applied whenever any user connects using AnyConnect.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Top