02-04-2013 07:44 AM
I came across this during a log review. Starting on the 28th of Jan an IP has started showing up in my ASA logs. Problem I have is the IP seems to be coming out of Delaware, and we are in Ontario and all the users connecting are also in Ontario.
We are using Anyconnect to connect to our ASA.
Here is an excerpt of the logs. Edited to remove users etc.
Login:
%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/61474 for TLSv1 session.
%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/61474
%ASA-6-113012: AAA user authentication Successful : local database : user = ..
%ASA-6-113003: AAA group policy for user .. is being set to ..
%ASA-6-113011: AAA retrieved user specific group policy (..) for user = ..
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = ..
%ASA-6-113008: AAA transaction status ACCEPT : user = ..
%ASA-6-113039: Group <..> User <..> IP <99.245.174.213> AnyConnect parent session started.
%ASA-6-725007: SSL session with client Clientvpn:99.245.174.213/61474 terminated.
**Why is it terminating, only to reconnect???**
%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/61478 for TLSv1 session.
%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/61478
%ASA-4-722041: TunnelGroup <..> GroupPolicy <..> User <..> IP <99.245.174.213> No IPv6 address available for SVC connection
%ASA-5-722033: Group <..> User <..> IP <99.245.174.213> First TCP SVC connection established for SVC session.
%ASA-4-722051: Group <..> User <..> IP <99.245.174.213> IPv4 Address <192.168.100.71> IPv6 address <::> assigned to session
%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/59488 for DTLSv1 session.
%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/59488 for DTLSv1 session.
%ASA-6-725003: SSL client Clientvpn:99.245.174.213/59488 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/59488
%ASA-5-722033: Group <..> User <..> IP <99.245.174.213> First UDP SVC connection established for SVC session.
Logout:
%ASA-6-725007: SSL session with client Clientvpn:99.245.174.213/59488 terminated.
%ASA-5-722037: Group <..> User <..> IP <99.245.174.213> SVC closing connection: Transport closing.
%ASA-5-722012: Group <..> User <..> IP <99.245.174.213> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..
%ASA-6-716002: Group <..> User <..> IP <99.245.174.213> WebVPN session terminated: User Requested.
%ASA-4-113019: Group = .., Username = .., IP = 52.102.36.175, Session disconnected. Session Type: SSL, Duration: 0h:03m:03s, Bytes xmt: 66067, Bytes rcv: 75687, Reason: User Requested
That is the IP in question. It shows up for multiple users upon disconnect of an AnyConnect connection.
Anyone have any ideas on this?
Upon even more review there are other IP's that are showing up as well.
116.136.36.175 - China
196.110.36.175 - Unknown
12.115.36.175 - Kansas
36.162.36.175 - Bejing China
02-06-2013 08:51 AM
Okay, this seems to be some sort of bug in the logging.
All these IP's have the same last 2 octets 36.175, that matches the actual IP of one of my site to site VPN connections.
Very strange. I may try reloading the ASA early in the morning to see if it clears it up.
ASA 5510 9.1.1 in case anyone is interested.
04-05-2013 10:19 AM
Hello Brian,
I know that this is an old post but I just wanted to share some information in case you are still having this issue. As you mentioned before this is a Bug on version 9.1.1, which is identified by Cisco and fixed on versions 9.0(2.4) 8.4(4.6). However, the fix has not been included on any 9.1.x version. The next release of 9.1.x should inlcude the fix. Please find the bug bellow:
syslog 113019 reports invalid address when VPN client disconnects
Syslog reports an invalid IP Address.
Conditions:
This condition occurs when a VPN Client is disconnected.
Regards,
Luis
04-05-2013 02:24 PM
Thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide