cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19838
Views
0
Helpful
6
Replies

Showing User List on ASA 5500

nick.jackson1
Level 1
Level 1

Hi,

I Need to pull up a list of all users that access the ASA via VPN either via the GUI or the CLI is there a specific command or place that I need to go to in order to achieve this? I am using Cisco ADSM 6.4 for the gui but can also SSH to the ASA via putty and run from cli if needed. 

I have pulled up a list of the local AAA/Users but they also want a list of the users that access the firewall via VPN the problem is that when I try the commands to show any active connections there are no active connections to the firewall at the moment. I've also tried to bring up previous tunnel information by using show crypto isakmp stats command but that only tells me how many previous tunnels there were not who was using them. 

If anybody can point me in the right direction as to where I go to do this I would greatly appreciate it.

Thanks.

6 Replies 6

pjain2
Cisco Employee
Cisco Employee

show vpn-sessiondb detail <l2l.\/webvpn/anyconnect>

will give you the necessary output

Thanks for this guys I tried the show vpn-sessiondb detail command but that only presents the numerical information for tunnel stats etc. 

What's the easiest way to pull the logs off the ASA?

Nick the easiest way is to type "show log". But as I mentioned earlier the device's log buffer only holds a limited number of messages.

So we direct it to send a copy of all log messages to a syslog server.

logging enable
logging host <interface> <syslog server ip address>

The host you send the logs to can be something like the free version of SolarWinds' Kiwi syslog server or even syslogd on a plain Unix or Linux host.

Most network management systems also include syslog servers. The paid ones will generally have more features like integrating search, filter and archiving functions.

Awesome thanks for that Martin I'll be sure to give that a try. It's my first week with this company so still learning where things are in the infrastructure I'll see if we have a syslog server here if not I'll see about sending to an external one.

Thanks again.

Marvin Rhoads
Hall of Fame
Hall of Fame

The best way to get the historical data is to extract it from syslog messages.

A user logging in - whether IPsec or SSL VPN - will generate a level 5 syslog message with the username embedded in it. Usually they will roll over in the device buffer too soon be be of historical use, but if you send them off to an external syslog server, it can easily parse out the relevant messages for auditing.

Here's an example from mine just now, showing syslog message id 722033 for an SVC (SSL VPN Client) TCP session:

5|Sep 10 2015 19:37:36|722033: Group <group name redacted> User <marvin.rhoads> IP <address redacted> First TCP SVC connection established for SVC session.

msosnkowski
Level 1
Level 1

show vpn-sessiondb anyconnect