Solved: Monitoring VPN connection attempts

snowmizer · ‎02-17-2011

I would like to be able to use the syslog messages that come off of the ASA to monitor VPN connection attempts (successful and unsuccessful). Looking at the system messages there are several codes that pertain to this.

I'm wondering if anyone has a good way to use syslog to do this? Are there certain codes that can be used for this information?

Thanks.

hdashnau · ‎02-21-2011

You can configure the ASA to send syslog messages when the user connects and disconnects. There are a few kinds of "remote access" VPN like IPsec, webvpn/clientless, anyconnect/ssl vpn client that you can track.

If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913

If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages here

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697

If you are using IPSec client VPN you can track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019. There is an additional ipsec syslog 713049 you might want to track for ipsec.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412 http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539

Here are some other helpful notes to keep in mind:

-You can tell what levels of logging you currently have on the ASA command line with "show log"

-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)

-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html

-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m

For example (logging class):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253

logging class vpnc traf informational

For example (logging list):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512

logging list mylist message 722022

logging list mylist message 722023

logging trap mylist

Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.

-heather

View solution in original post

Federico Coto Fajardo · ‎02-17-2011

Hi,

There are several syslogs for VPN - for Ipsec Cisco VPN Clien look into thes:

Ipsec phase 1-2 related

Syslog 713120

Syslog 713119

syslog 713049

RA user related

syslog ID: 113015 user authentication Rejected : reason = Invalid password : local database : user =

Syslog: ID 713184 Group = ciscovpn_ra_access, Username = IP = , Client Type: WinNT Client Application Version: 4.8.00.0440

Syslog: ID 113012 AAA user authentication Successful : local database : user = username

You could watch the ASDM real time log and look at the syslog IDs to spot the ones you want or check the syslog IDs bellow in the link.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html

Hope it helps.

Federico.

snowmizer · ‎02-21-2011

I'd been looking at the doc you referenced and syslog events. I just wanted to know if anyone

had a good list of codes I could look at for this purpose. Your list gives me a good whittled down starting point.

Thanks for the reply.

hdashnau · ‎02-21-2011

You can configure the ASA to send syslog messages when the user connects and disconnects. There are a few kinds of "remote access" VPN like IPsec, webvpn/clientless, anyconnect/ssl vpn client that you can track.

If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913

If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages here

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697

If you are using IPSec client VPN you can track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019. There is an additional ipsec syslog 713049 you might want to track for ipsec.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412 http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539

Here are some other helpful notes to keep in mind:

-You can tell what levels of logging you currently have on the ASA command line with "show log"

-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)

-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html

-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m

For example (logging class):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253

logging class vpnc traf informational

For example (logging list):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512

logging list mylist message 722022

logging list mylist message 722023