I am analyzing cisco vpn logs, 113009 message id log contains the group name for that particualr user, when he logs out, 113019 log is sent, which has a different group name.
Can you tell me what is the difference between the two groups?
The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.
show run group-policy displays all the group-policies configured on your ASA
The second messages group tells the name of the actual VPN profile/connection the user was using
show run tunnel-group displays all the tunnel-groups configured on your ASA
You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.
portal2PROFILE = tunnel-group = VPN connections name
GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE
Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.
Please rate if it was any help
I'm not sure if the type of device and software matter but just wanted to make sure.
I'm not sure if I got the syslog ID right.
"tunnel-group" is the name of the connection.
- - For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
- Like for example "tunnel-group 126.96.36.199 type ipsec-l2l"
- - For Client VPN the group-name can be anything
- Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"
With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.
The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):
tunnel-group 188.8.131.52 type ipsec-l2l
tunnel-group 184.108.40.206 ipsec-attributes
For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):
tunnel-group REMOTE-USER-VPN-01 type ipsec-ra
tunnel-group REMOTE-USER-VPN-01 general-attributes
tunnel-group REMOTE-USER-VPN-01 ipsec-attributes
I think the syslog ID 113009 message refers to the Group Policy that was applied to the user
Syslog ID 113019 message seems to refer to the name of the tunnel-group name.
What device are the VPNs on and what software version?