ASA 5540 AAA Inaccurate VPN Login/Logout Accounting

Unanswered Question
Jun 20th, 2008
User Badges:

We have a security department that relies on accurate logging of logins and logouts via AAA. Unfortunately, we have seen a rash of users with a login, but no logouts. Over 400-500 in one week. I have noticed that at some point, in the syslog data, that the user stops sending information and then, after an hour or so, the lines below appear...


2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping

2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping


After which, the users is just gone, without any indication of their logout in either syslog nor RADIUS server (using AAA).



Our security department uses the RADIUS logs which insert a session ID. They look for the session IDs in pairs, a login and logout. Mostly they are seeing a session ID with no associated logout. The syslog data backs this up as being accurate.


Not sure why this is, we are using v7.2(3).8 of the operating system.


Thanks for any input!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Thu, 06/26/2008 - 06:37
User Badges:
  • Bronze, 100 points or more

The error message "Received encrypted packet with no matching SA, dropping " states that the "Security Association" is not matching during the authentication process and so the connection is being dropped.so check for the AAA configuration using the document present in the following url:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html

purohit_810 Fri, 06/27/2008 - 20:20
User Badges:
  • Silver, 250 points or more

I think it connects on different port no then matching on outside interface.


Take debug of crypto isakmp, crypto ipsec you will able to see.


Syslog sometime doesn't show because you have start such logs.

AAA doesn't show because before it hit on AAA server request refused by outside interface on non-matching parameters.


Thanks,

Dharmesh Purohit

Actions

This Discussion