Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2189
Views
0
Helpful
4
Replies

Is there a way to filter inactive VPN users on ASA

Quikr_167
Level 1
Level 1

‎12-06-2016 10:19 PM

Hi,

We have Cisco ASA 5585-X firewall and we generally create local VPN user accounts on the ASA. Since we have been creating these since long, there are more than 500 user accounts existing on the ASA.

Now we need to know who all are actually using the VPN or who are the inactive accounts, so we can just clean the garbage from ASA.

Does anyone have any idea to pull out the reports from ASA to filter the inactive VPN users?

Thanks in advance !!

Labels:
0 Helpful
4 Replies 4

ogerking
Level 1
Level 1

‎12-07-2016 12:44 AM

hi

this command a try 

SH VPN-Sessiondb ANYconnect SORT INactivity 

Username : li-jp Index : 72
Assigned IP : 172.16.10.36 Public IP : 223.104.5.234
Protocol : AnyConnect-Parent DTLS-Tunnel
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none DTLS-Tunnel: (1)SHA1
Bytes Tx : 5110 Bytes Rx : 2638
Group Policy : vpnpolicy Tunnel Group : vpntunnel
Login Time : 15:59:42 china Sat Dec 3 2016
Duration : 4d 0h:37m:51s
Inactivity : 4d 0h:35m:47s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Then enter this commande

vpn-sessiondb logoff name li-jp

I hope this helps!

0 Helpful

Quikr_167
Level 1
Level 1
In response to ogerking

‎12-07-2016 01:36 AM

Thank you for your revert ogerking@sohu.com  :)

I tried these commands and it only shows the inactivity time of current logged-in users but I want to know the users who never logged in since 1 month or more, so such accounts can be deleted.

Is that possible in any case?

Username : praveen.k Index : 23111
Assigned IP : 192.168.0.140 Public IP : 182.64.231.18
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Bytes Tx : 4932592 Bytes Rx : 1350903
Group Policy : VPNTUNNEL Tunnel Group : VPNTUNNEL
Login Time : 11:53:04 IST Wed Dec 7 2016
Duration : 3h:06m:24s
Inactivity : 0h:32m:21s
VLAN Mapping : N/A VLAN : none
0 Helpful

ogerking
Level 1
Level 1
In response to Quikr_167

‎12-07-2016 05:31 PM

hi 

I'm sorry I didn't help you,I look forward to the right answer,me too.

 

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee

‎12-07-2016 07:31 PM

Hi Quikr_167,

If you are using the ASA with the local database for usernames and passwords there is not really a way to find out which user is completely inactive so you can remove it, in this case normally what is recommended will be use a server for authentication so you can keep track of the users (ACS, Windows Server). From the ASA perspective the best way to handle this will be removing the users as soon as you know they are not going to be used anymore.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Customers Also Viewed These Support Documents