01-03-2011 12:11 PM
Hi Everyone,
Is there a way I can turn on logging on my ASA5550 so that I can check the time and date (and how long) VPN users are connected?
Your help is greatly appreciated.
Thanks
Alfred
Solved! Go to Solution.
01-03-2011 08:00 PM
You can configure the ASA to send syslog messages when the user connects and disconnects.
The syslog message# for vpn user connection is syslog# 713119 and 611310:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4774637
and for disconnect is syslog# 113019:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Hope that helps.
01-04-2011 01:20 PM
The syslogs Jennifer provided will show you connects and disconnects for IPSec VPN traffic.There is an additional ipsec syslog 713049 you might want to track for ipsec.
Its also worth noting there are a few other kinds of "remote access" VPN like webvpn/clientless, anyconnect/ssl vpn client that you might also want to track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913
If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages herehttp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697
If you are using IPSec client VPN you can also track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
For example (logging class):http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253
logging class vpnc traf informational
For example (logging list):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.
01-04-2011 02:14 PM
Perfect, thanks for the update, Alfred. Please kindly mark the post as answered if you have no further question. Thank you.
01-03-2011 08:00 PM
You can configure the ASA to send syslog messages when the user connects and disconnects.
The syslog message# for vpn user connection is syslog# 713119 and 611310:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4774637
and for disconnect is syslog# 113019:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Hope that helps.
01-04-2011 07:11 AM
Thanks Jennifer, that works!!!
01-04-2011 02:14 PM
Perfect, thanks for the update, Alfred. Please kindly mark the post as answered if you have no further question. Thank you.
01-04-2011 01:20 PM
The syslogs Jennifer provided will show you connects and disconnects for IPSec VPN traffic.There is an additional ipsec syslog 713049 you might want to track for ipsec.
Its also worth noting there are a few other kinds of "remote access" VPN like webvpn/clientless, anyconnect/ssl vpn client that you might also want to track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913
If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages herehttp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697
If you are using IPSec client VPN you can also track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
For example (logging class):http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253
logging class vpnc traf informational
For example (logging list):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide