VPN Traffic monitoring

Answered Question
Mar 26th, 2010

If a user signs in using the AnyConnect client and then connects via RDP to an internal Windows machine, should I be able to see any traffic via syslog from that RDP session?  I can see the client connection, auth, DHCP and then the port 3389 connection to the internal Windows box, but the only traffic after that is the disconnect on port 3389 (and subsequent termination of the VPN session by user request).  It seems there would be some sort of traffic back through the ASA to the VPN client, at least at the presentation layer.  I have been asked to look at this in order to determine if someone was actually logged in and working or if they just logged in to make it look like they were doing their job.


Also, along the same lines - Is there a difference specified when a session terminates for max session time and a user actually signing out?  The reason I ask this is, the above user was connected for exactly 12 hours, which is the Max Connect Time (720 minutes), but in the log it says was by user request.  My guess is that it was a max session time out but I need to be positive of this.


Thanks in Advance...

Correct Answer by Jennifer Halim about 6 years 11 months ago

If user RDP into a device, the activity that is performed during the RDP session would be from that device to other applications. When you mention syslog, I assume that you are seeing syslog messages when the RDP box builds a connection outbound or to other subnet that passes through the ASA, and the ASA is sending the syslog messages?


If you would like to see activity within the RDP session, you would need to check the RDP host outbound connection, and for the ASA to trigger and send syslog, traffic from the RDP host needs to pass through the ASA.


Example:

You connect via AnyConnect and RDP to 192.168.1.5.

If you would like to check activities, you would need to check if 192.168.1.5 is initiating any connections.


In regards to the max session disconnects, can you please share the syslog message that specifies that.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 03/26/2010 - 20:49

If user RDP into a device, the activity that is performed during the RDP session would be from that device to other applications. When you mention syslog, I assume that you are seeing syslog messages when the RDP box builds a connection outbound or to other subnet that passes through the ASA, and the ASA is sending the syslog messages?


If you would like to see activity within the RDP session, you would need to check the RDP host outbound connection, and for the ASA to trigger and send syslog, traffic from the RDP host needs to pass through the ASA.


Example:

You connect via AnyConnect and RDP to 192.168.1.5.

If you would like to check activities, you would need to check if 192.168.1.5 is initiating any connections.


In regards to the max session disconnects, can you please share the syslog message that specifies that.


Hope that helps.

Actions

This Discussion