Odd IP's showing up in ASA VPN logs

Brian Rapier · ‎02-04-2013

I came across this during a log review. Starting on the 28th of Jan an IP has started showing up in my ASA logs. Problem I have is the IP seems to be coming out of Delaware, and we are in Ontario and all the users connecting are also in Ontario.

We are using Anyconnect to connect to our ASA.

Here is an excerpt of the logs. Edited to remove users etc.

Login:

%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/61474 for TLSv1 session.

%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/61474

%ASA-6-113012: AAA user authentication Successful : local database : user = ..

%ASA-6-113003: AAA group policy for user .. is being set to ..

%ASA-6-113011: AAA retrieved user specific group policy (..) for user = ..

%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = ..

%ASA-6-113008: AAA transaction status ACCEPT : user = ..

%ASA-6-113039: Group <..> User <..> IP <99.245.174.213> AnyConnect parent session started.

%ASA-6-725007: SSL session with client Clientvpn:99.245.174.213/61474 terminated.

**Why is it terminating, only to reconnect???**

%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/61478 for TLSv1 session.

%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/61478

%ASA-4-722041: TunnelGroup <..> GroupPolicy <..> User <..> IP <99.245.174.213> No IPv6 address available for SVC connection

%ASA-5-722033: Group <..> User <..> IP <99.245.174.213> First TCP SVC connection established for SVC session.

%ASA-4-722051: Group <..> User <..> IP <99.245.174.213> IPv4 Address <192.168.100.71> IPv6 address <::> assigned to session

%ASA-6-725001: Starting SSL handshake with client Clientvpn:99.245.174.213/59488 for DTLSv1 session.

%ASA-6-725003: SSL client Clientvpn:99.245.174.213/59488 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client Clientvpn:99.245.174.213/59488

%ASA-5-722033: Group <..> User <..> IP <99.245.174.213> First UDP SVC connection established for SVC session.

Logout:

%ASA-6-725007: SSL session with client Clientvpn:99.245.174.213/59488 terminated.

%ASA-5-722037: Group <..> User <..> IP <99.245.174.213> SVC closing connection: Transport closing.

%ASA-5-722012: Group <..> User <..> IP <99.245.174.213> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..

%ASA-6-716002: Group <..> User <..> IP <99.245.174.213> WebVPN session terminated: User Requested.

%ASA-4-113019: Group = .., Username = .., IP = 52.102.36.175, Session disconnected. Session Type: SSL, Duration: 0h:03m:03s, Bytes xmt: 66067, Bytes rcv: 75687, Reason: User Requested

That is the IP in question. It shows up for multiple users upon disconnect of an AnyConnect connection.

Anyone have any ideas on this?

Upon even more review there are other IP's that are showing up as well.

116.136.36.175 - China

196.110.36.175 - Unknown

12.115.36.175 - Kansas

36.162.36.175 - Bejing China

Brian Rapier · ‎02-06-2013

Okay, this seems to be some sort of bug in the logging.

All these IP's have the same last 2 octets 36.175, that matches the actual IP of one of my site to site VPN connections.

Very strange. I may try reloading the ASA early in the morning to see if it clears it up.

ASA 5510 9.1.1 in case anyone is interested.

luramir2 · ‎04-05-2013

Hello Brian,

I know that this is an old post but I just wanted to share some information in case you are still having this issue. As you mentioned before this is a Bug on version 9.1.1, which is identified by Cisco and fixed on versions 9.0(2.4) 8.4(4.6). However, the fix has not been included on any 9.1.x version. The next release of 9.1.x should inlcude the fix. Please find the bug bellow:

CSCub72545

syslog 113019 reports invalid address when VPN client disconnects

Syslog reports an invalid IP Address.

Conditions:

This condition occurs when a VPN Client is disconnected.

Regards,

Luis

Brian Rapier · ‎04-05-2013

Thanks for the update.