Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19627
Views
0
Helpful
6
Replies

Showing User List on ASA 5500

nick.jackson1
Level 1
Level 1

‎09-10-2015 02:46 AM

Hi,

I Need to pull up a list of all users that access the ASA via VPN either via the GUI or the CLI is there a specific command or place that I need to go to in order to achieve this? I am using Cisco ADSM 6.4 for the gui but can also SSH to the ASA via putty and run from cli if needed. 

I have pulled up a list of the local AAA/Users but they also want a list of the users that access the firewall via VPN the problem is that when I try the commands to show any active connections there are no active connections to the firewall at the moment. I've also tried to bring up previous tunnel information by using show crypto isakmp stats command but that only tells me how many previous tunnels there were not who was using them. 

If anybody can point me in the right direction as to where I go to do this I would greatly appreciate it.

Thanks.

Labels:
0 Helpful
6 Replies 6

pjain2
Cisco Employee
Cisco Employee

‎09-10-2015 10:54 AM

show vpn-sessiondb detail <l2l.\/webvpn/anyconnect>

will give you the necessary output

0 Helpful

nick.jackson1
Level 1
Level 1
In response to pjain2

‎09-11-2015 05:44 AM

Thanks for this guys I tried the show vpn-sessiondb detail command but that only presents the numerical information for tunnel stats etc. 

What's the easiest way to pull the logs off the ASA?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nick.jackson1

‎09-11-2015 06:06 AM

Nick the easiest way is to type "show log". But as I mentioned earlier the device's log buffer only holds a limited number of messages.

So we direct it to send a copy of all log messages to a syslog server.

logging enable
logging host <interface> <syslog server ip address>

The host you send the logs to can be something like the free version of SolarWinds' Kiwi syslog server or even syslogd on a plain Unix or Linux host.

Most network management systems also include syslog servers. The paid ones will generally have more features like integrating search, filter and archiving functions.

0 Helpful

nick.jackson1
Level 1
Level 1
In response to Marvin Rhoads

‎09-11-2015 06:12 AM

Awesome thanks for that Martin I'll be sure to give that a try. It's my first week with this company so still learning where things are in the infrastructure I'll see if we have a syslog server here if not I'll see about sending to an external one.

Thanks again.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-10-2015 04:45 PM

The best way to get the historical data is to extract it from syslog messages.

A user logging in - whether IPsec or SSL VPN - will generate a level 5 syslog message with the username embedded in it. Usually they will roll over in the device buffer too soon be be of historical use, but if you send them off to an external syslog server, it can easily parse out the relevant messages for auditing.

Here's an example from mine just now, showing syslog message id 722033 for an SVC (SSL VPN Client) TCP session:

5|Sep 10 2015 19:37:36|722033: Group <group name redacted> User <marvin.rhoads> IP <address redacted> First TCP SVC connection established for SVC session.
0 Helpful

msosnkowski
Level 1
Level 1

‎03-22-2022 12:38 PM

show vpn-sessiondb anyconnect

0 Helpful
Customers Also Viewed These Support Documents