Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
2
Replies

Incorrect TCP session Logs for Remote VPN Users on Cisco ASA

valerio galantini
Level 1
Level 1

‎10-30-2012 11:06 AM

Hi everyone,

I have a problem on a Cisco ASA5520 version 8.2(5).

A customer has set up a syslog to keep tracks of tcp sessions made by vpn users.

On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection.

When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection.

I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed;

if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message.

I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere.

Can anyone help me with this problem?

Is there a way to have all tcp session tore down when a user disconnects the VPN connection?

Thank you in advance.

Valerio Galantini

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-30-2012 08:27 PM

For VPN session, it's best to log the following syslog messages:

For WebVPN:

Syslog#: 716001 - user connects:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

Syslog#: 716002 - user disconnects:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776918

For IPSec VPN Client:

Syslog#: 611101 - user connects:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774570

Syslog#: 611102 - user authentication fails:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576

Syslog#: 611103 - user logoff:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774581

0 Helpful

valerio galantini
Level 1
Level 1
In response to Jennifer Halim

‎10-31-2012 03:50 AM

Hi Jennifer,

unfortunately we need to account the users for their session/traffic and then report each IP the users connects to and how much traffic was made to those IP, so we can't just use login and logoff messages.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents