Track VPN User Sessions

bluem9000 · ‎06-10-2013

Hello,

Currently we user Cisco VPN Clients for remote access. Is it possible to track/log all sessions when users connect and disconnect?

Cisco Adaptive Security Appliance Version 8.2 (1)

Device Manager Version 6.2 (1)

Hardware: ASA5510

Thanks...J

guibarati · ‎06-10-2013

This is one option,

The ASA will send an email for noc@xxx.com when a vpn is connected.

logging from-address asa5510@xxx.com

logging recipient-address noc@xxx.com level debu

logging list lista_email message 713120

logging list lista_email message 111008

logging list lista_email message 113019

logging list lista_email message 722033

smtp-server 1.1.1.1

logging mail lista_email

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You could also send this to a syslog server:

logging trap lista_email

logging host inside 1.1.1.2

guibarati · ‎06-11-2013

Hi, did you have the chance to try it?

bluem9000 · ‎06-13-2013

Hello,

Thanks for the reply, but I prefer to not get an email when each user connects to VPN. I am looking for a format where the file captures all connect and disconnect sessions with dates and time. Management is looking to see which users are connecting to VPN since few are working from home.

Since our users are using their AD to authenticate can I capture the info on the domain controller?

Thanks...

guibarati · ‎06-13-2013

You can use the second option on the post and send the information to a syslog server.

If your ASA is using RADIUS to validate the username/password you will have the information of what time they connect on your event viewer.

Windows 2003 will have the information under "system" on event viewer.

Windows 2008 will have it under a custom view for the NPS service.

If your ASA is using LDAP I'm not sure if you can get this info through your AD.

Anyway with this option of looking in the AD you will only get the time they connect. (ASA will not consult the AD when the VPN is disconnected)

With the option of sending to a syslog server you will have the connection and disconnection time and you can set your syslog software to feed a file.

With free kiwi syslog server you can feed a txt file for free and some other types of database with a license (sql for exemple).

bluem9000 · ‎06-13-2013

After some searches I found the link below related to Cisco system log messages. So your second option might work for me. http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4774570.

Under Device Management>Logging>Logging Setup> I can configure to send to FTP Server which we do have one.

So I only need to go to Device Management>Logging>Event List and add Event Class and Message IDs which will get captured and pushed to the FTP Server?...is this the correct way to do it and would I only get VPN events or other events as well?

Thanks...

Andrew Phirsov · ‎06-13-2013

Basically, it's enough to have message 113019 (session disconnect) being logged to some syslog server. Then you can write some script wich will collect this messages say per day and send them via email every morning. In this case users won't be bothered every minute with new email, saying that some user just connected/disconnected, but statistical info will be provided. Here how the content of such email would look like (we do this as i described):

Jun 08 2013 00:10:43: %ASA-4-113019: Group = ANYCONNECT_CONPR, Username = phirsov, IP = x.x.x.x, Session disconnected. Session Type: SSL, Duration: 1h:11m:25s, Bytes xmt: 57952655, Bytes rcv: 3416542, Reason: User Requested

Jun 08 2013 00:28:16: %ASA-4-113019: Group = ANYCONNECT_CONPR, Username = popov, IP = x.x.x.x, Session disconnected. Session Type: AnyConnect-Parent, Duration: 5h:10m:39s, Bytes xmt: 63605532, Bytes rcv: 3498108, Reason: User Request