Viewing/debugging VPN sessions on ASA 5520?

Unanswered Question
Oct 27th, 2008


We have been used to using a Cisco concentrator for our VPN's. Now we have a 5520 ASA.

My helpdesk guys asked the simple question on how they can view the VPN sessions and debug failed logons?

The concentrator made this easy, how can give them this view back so they can see who is online. The only way I find this info is via CLI or the ASDM > monitoring area.

Though I don't want them to use the ASDM unless it can be locked down, is there a free http tool that can give this VPN session viiew back?

Also what's the best way to view why a user can't connect to the VPN on the 5520?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


yes the switch from vpn conc to asa can be jarring... but this should help

you can lock down the asa to only permit users view access to the logs, etc.

first, run asdm go to

Configuration > Device Management > Users/AAA > AAA Access > Authentication

first thing here, enable AAA to lock down your box usin the "LOCAL" aaa server (really just the local username/password database

(FIRST MAKE SURE YOU HAVE AN ADMIN ACCOUNT WITH "15" access so you dont get locked out!)

check off "enable" under the top radio button for both authentication & authorization.

then under "authenticatin" check off everything... once done hit apply... (the ASA will now use AAA with the local server.

You are now ready to create a privilege level 3 account for "view" only rights in ASDM.

go to

Configuration > Device Management > Users/AAA > User Accounts

and create your helpdesk user, call it


then go back to

Configuration > Device Management > Users/AAA > AAA Access > Authorization

its time to lock down what "helpdesk" can do...

make sure all the radio buttons here are checked off, the hit "apply"

You are now ready to select "set asdm defined user roles", when it opens select "yes".

You can now login as the priv 3 "helpdesk" account to asdm;

go to "Monitoring > VPN > VPN Statistics > Sessions"

You can monitor vpn session much like the vpn concentrator;

i would add the helpdesk (priv level 3) the right to clear vpn sessions, or kick users off the vpn)

do that simply go back to

Configuration > Device Management > Users/AAA > AAA Access > Authorization

set the "vpn session-db" command to privil 3 so the "helpdesk" user will be able to logoff users on the vpn if necessary.

As far as logging, simply go to logging at

Configuration > Device Management > Logging > Logging Setup

and configured local buffered logging, using

512000 as the internal buffer size...

you can then make sure vpn related logs are enabled;

go to

Configuration > Device Management > Logging > Logging Filters

enable a logging filter for the internal buffer, only log auth, vpn, and if you use it

"webvpn" all at the information level.

To monitor the logs while logged in to asdm simply go to

"Monitoring > Logging > Real-Time Log Viewer"

and you can see the recent log activity.

Let me know if I can help you with anymore... or we can do a webex together (i have a nice pair of 5520's in my lab running 8.04!!!)


whiteford Tue, 10/28/2008 - 01:52

Hi Joe, wow! Let me work though this today and get back to you.

Thanks again!

whiteford Tue, 10/28/2008 - 02:40

Sorry Joe, I am embarrassed to asked but "check off" is to remove the tick from the box?


whiteford Thu, 10/30/2008 - 09:26

Hi Joe,

I'm not sure where I have gone wrong here, but if I login as "helpdesk" on the ASDM it allows me into the ASDM and pops up with an error.

"You do not have sufficient privileges to execute commands required to load ASDM."

Have I missed something?


whiteford Fri, 10/31/2008 - 08:58

Hi Joe, sorry to ask again, I just wondered if you had an update to my post?



This Discussion