cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2187
Views
0
Helpful
4
Replies

Is there a way to filter inactive VPN users on ASA

Quikr_167
Level 1
Level 1

Hi,

We have Cisco ASA 5585-X firewall and we generally create local VPN user accounts on the ASA. Since we have been creating these since long, there are more than 500 user accounts existing on the ASA.

Now we need to know who all are actually using the VPN or who are the inactive accounts, so we can just clean the garbage from ASA.

Does anyone have any idea to pull out the reports from ASA to filter the inactive VPN users?

Thanks in advance !!

4 Replies 4

ogerking
Level 1
Level 1

hi

this command a try 

SH VPN-Sessiondb ANYconnect SORT INactivity 

Username : li-jp Index : 72
Assigned IP : 172.16.10.36 Public IP : 223.104.5.234
Protocol : AnyConnect-Parent DTLS-Tunnel
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)SHA1
Bytes Tx : 5110 Bytes Rx : 2638
Group Policy : vpnpolicy Tunnel Group : vpntunnel
Login Time : 15:59:42 china Sat Dec 3 2016
Duration : 4d 0h:37m:51s
Inactivity : 4d 0h:35m:47s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Then enter this commande

vpn-sessiondb logoff name li-jp

I hope this helps!

Thank you for your revert ogerking@sohu.com  :)

I tried these commands and it only shows the inactivity time of current logged-in users but I want to know the users who never logged in since 1 month or more, so such accounts can be deleted.

Is that possible in any case?

Username : praveen.k Index : 23111
Assigned IP : 192.168.0.140 Public IP : 182.64.231.18
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Bytes Tx : 4932592 Bytes Rx : 1350903
Group Policy : VPNTUNNEL Tunnel Group : VPNTUNNEL
Login Time : 11:53:04 IST Wed Dec 7 2016
Duration : 3h:06m:24s
Inactivity : 0h:32m:21s
VLAN Mapping : N/A VLAN : none

hi 

I'm sorry I didn't help you,I look forward to the right answer,me too.

 

JP Miranda Z
Cisco Employee
Cisco Employee

Hi Quikr_167,

If you are using the ASA with the local database for usernames and passwords there is not really a way to find out which user is completely inactive so you can remove it, in this case normally what is recommended will be use a server for authentication so you can keep track of the users (ACS, Windows Server). From the ASA perspective the best way to handle this will be removing the users as soon as you know they are not going to be used anymore.

Hope this info helps!!

Rate if helps you!! 

-JP-