ASA 5540 AAA Inaccurate VPN Login/Logout Accounting

Unanswered Question
Jun 20th, 2008

We have a security department that relies on accurate logging of logins and logouts via AAA. Unfortunately, we have seen a rash of users with a login, but no logouts. Over 400-500 in one week. I have noticed that at some point, in the syslog data, that the user stops sending information and then, after an hour or so, the lines below appear...

2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping

2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping

After which, the users is just gone, without any indication of their logout in either syslog nor RADIUS server (using AAA).

Our security department uses the RADIUS logs which insert a session ID. They look for the session IDs in pairs, a login and logout. Mostly they are seeing a session ID with no associated logout. The syslog data backs this up as being accurate.

Not sure why this is, we are using v7.2(3).8 of the operating system.

Thanks for any input!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Fri, 06/27/2008 - 20:20

I think it connects on different port no then matching on outside interface.

Take debug of crypto isakmp, crypto ipsec you will able to see.

Syslog sometime doesn't show because you have start such logs.

AAA doesn't show because before it hit on AAA server request refused by outside interface on non-matching parameters.

Thanks,

Dharmesh Purohit

Actions

This Discussion