Hi everyone,
I have a problem on a Cisco ASA5520 version 8.2(5).
A customer has set up a syslog to keep tracks of tcp sessions made by vpn users.
On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection.
When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection.
I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed;
if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message.
I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere.
Can anyone help me with this problem?
Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
Thank you in advance.
Valerio Galantini
For VPN session, it's best to log the following syslog messages:
For WebVPN:
Syslog#: 716001 - user connects:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913
Syslog#: 716002 - user disconnects:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776918
For IPSec VPN Client:
Syslog#: 611101 - user connects:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774570
Syslog#: 611102 - user authentication fails:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576
Syslog#: 611103 - user logoff:
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774581
Hi Jennifer,
unfortunately we need to account the users for their session/traffic and then report each IP the users connects to and how much traffic was made to those IP, so we can't just use login and logoff messages.