Incorrect TCP session Logs for Remote VPN Users on Cisco ASA
I have a problem on a Cisco ASA5520 version 8.2(5).
A customer has set up a syslog to keep tracks of tcp sessions made by vpn users.
On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection.
When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection.
I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed;
if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message.
I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere.
Can anyone help me with this problem?
Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
unfortunately we need to account the users for their session/traffic and then report each IP the users connects to and how much traffic was made to those IP, so we can't just use login and logoff messages.
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
ISE Node Terminology
Policy Administration Node
Monitoring & Troubleshooting Node
Policy Services Node
Platform Exchange Grid Node
The single plane of glass for ISE administration and configuration operatio...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...
About this Document
Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par...