×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Need clarification in message ids of cisco

Answered Question
Mar 27th, 2012
User Badges:

Hi Guys,


               I am analyzing cisco vpn logs, 113009 message id log contains the group name for that particualr user, when he logs out, 113019 log is sent, which has a different group name.


                 Can you tell me what is the difference between the two groups?


Thanks,

M.Viswesh.

Correct Answer by Jouni Forss about 5 years 4 months ago

Hi,



The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.


show run group-policy displays all the group-policies configured on your ASA




The second messages group tells the name of the actual VPN profile/connection the user was using


show run tunnel-group displays all the tunnel-groups configured on your ASA


You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.




So,


portal2PROFILE = tunnel-group = VPN connections name


GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE




Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.


Please rate if it was any help


- Jouni

Correct Answer by Jouni Forss about 5 years 4 months ago

Hi,


I'm not sure if the type of device and software matter but just wanted to make sure.


I'm not sure if I got the syslog ID right.


"tunnel-group" is the name of the connection.

  • - For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
    • Like for example "tunnel-group 1.2.3.4 type ipsec-l2l"
  • - For Client VPN the group-name can be anything 
    • Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"


With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.


The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):


tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key ThisIsThekey


For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):


tunnel-group REMOTE-USER-VPN-01 type ipsec-ra

tunnel-group REMOTE-USER-VPN-01 general-attributes

address-pool REMOTE-VPN-POOL

default-group-policy REMOTE-USER-VPN-01-GP

tunnel-group REMOTE-USER-VPN-01 ipsec-attributes

pre-shared-key ThisIsThekey


- Jouni

Correct Answer by Jouni Forss about 5 years 4 months ago

Hi,


I think the syslog ID 113009 message refers to the Group Policy that was applied to the user


Syslog ID 113019 message seems to refer to the name of the tunnel-group name.


What device are the VPNs on and what software version?


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 03/27/2012 - 07:24
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I think the syslog ID 113009 message refers to the Group Policy that was applied to the user


Syslog ID 113019 message seems to refer to the name of the tunnel-group name.


What device are the VPNs on and what software version?


- Jouni

viswesh1406 Tue, 03/27/2012 - 07:46
User Badges:

Jouni,


           Thanks a lot Jouni. Whether the values depend on cisco model and software version?coz In our network, we have more than 10 firewalls(I dont know the versions used). I am analyzing the logs to create reports.

           can you explain me what is a tunnel group name? Sorry for the basic questions.


Thanks in advance,

M.Viswesh

Correct Answer
Jouni Forss Tue, 03/27/2012 - 08:02
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I'm not sure if the type of device and software matter but just wanted to make sure.


I'm not sure if I got the syslog ID right.


"tunnel-group" is the name of the connection.

  • - For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
    • Like for example "tunnel-group 1.2.3.4 type ipsec-l2l"
  • - For Client VPN the group-name can be anything 
    • Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"


With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.


The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):


tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key ThisIsThekey


For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):


tunnel-group REMOTE-USER-VPN-01 type ipsec-ra

tunnel-group REMOTE-USER-VPN-01 general-attributes

address-pool REMOTE-VPN-POOL

default-group-policy REMOTE-USER-VPN-01-GP

tunnel-group REMOTE-USER-VPN-01 ipsec-attributes

pre-shared-key ThisIsThekey


- Jouni

viswesh1406 Tue, 03/27/2012 - 08:21
User Badges:

Jouni the quick fire,


                        Thanks a lot man , i dont need L2L vpn, for remote client vpn, why the group name differs? let me post you the logs.


<166>Feb 21 2011 10:31:58 FO-ELD-ASA : %ASA-6-113009: AAA retrieved default group policy (GP-FTO-ELD-VPNGROUP) for user = [email protected]



<164>Feb 21 2011 11:47:14 FO-ELD-ASA : %ASA-4-113019: Group = portal2PROFILE, Username = [email protected], IP = 67.xxx.108.162, Session disconnected. Session Type: SSL, Duration: 1h:15m:16s, Bytes xmt: 1831910, Bytes rcv: 365237, Reason: Idle Timeout.



In the above logs, which one i should take it as group? group is different for login and logout log.


Thanks in advance.

M.Viswesh

Correct Answer
Jouni Forss Tue, 03/27/2012 - 08:42
User Badges:
  • Super Bronze, 10000 points or more

Hi,



The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.


show run group-policy displays all the group-policies configured on your ASA




The second messages group tells the name of the actual VPN profile/connection the user was using


show run tunnel-group displays all the tunnel-groups configured on your ASA


You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.




So,


portal2PROFILE = tunnel-group = VPN connections name


GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE




Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.


Please rate if it was any help


- Jouni

viswesh1406 Tue, 03/27/2012 - 22:55
User Badges:

Jouni,


           Thanks a lot. It helped a lot

viswesh1406 Tue, 03/27/2012 - 23:07
User Badges:

Hi Jouni,


          I see that 113011 message id log shows user specific group policy. what is the difference between these two log?

But i see they havee different name.


<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113011: AAA retrieved user specific group policy (AWA-VPN-GP02) for user = ktakepoochi


<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = ktakepoochi


Regards,

M.Viswesh.

Jouni Forss Tue, 03/27/2012 - 23:33
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I'm not 100% sure but it seems to me that the username "ktakeuchi" has its own "group-policy" configured. If you check the username configurations under ASDM, you can see that you assing "group-policy" straight to the username.


You can also lock the username in question to some specific "tunnel-group".


I can't remember at the moment which setting overrides the other. I think there is certain order in which the "group-policy" rules are applied. I think the settings under "username" configurations apply. If the user didnt have the "group-policy" configured under his username, the "group-policy" configured under the tunnel-group/connection name that the person is using would be applied to the user.


As I said I'm not 100% sure Maybe someone can confirm/correct what I just wrote.

Actions

This Discussion