cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
797
Views
0
Helpful
8
Replies

Need clarification in message ids of cisco

viswesh1406
Level 1
Level 1

Hi Guys,

               I am analyzing cisco vpn logs, 113009 message id log contains the group name for that particualr user, when he logs out, 113019 log is sent, which has a different group name.

                 Can you tell me what is the difference between the two groups?

Thanks,

M.Viswesh.

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I think the syslog ID 113009 message refers to the Group Policy that was applied to the user

Syslog ID 113019 message seems to refer to the name of the tunnel-group name.

What device are the VPNs on and what software version?

- Jouni

View solution in original post

Hi,

I'm not sure if the type of device and software matter but just wanted to make sure.

I'm not sure if I got the syslog ID right.

"tunnel-group" is the name of the connection.

  • - For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
    • Like for example "tunnel-group 1.2.3.4 type ipsec-l2l"
  • - For Client VPN the group-name can be anything 
    • Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"

With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.

The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key ThisIsThekey

For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):

tunnel-group REMOTE-USER-VPN-01 type ipsec-ra

tunnel-group REMOTE-USER-VPN-01 general-attributes

address-pool REMOTE-VPN-POOL

default-group-policy REMOTE-USER-VPN-01-GP

tunnel-group REMOTE-USER-VPN-01 ipsec-attributes

pre-shared-key ThisIsThekey

- Jouni

View solution in original post

Hi,

The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.

show run group-policy displays all the group-policies configured on your ASA

The second messages group tells the name of the actual VPN profile/connection the user was using

show run tunnel-group displays all the tunnel-groups configured on your ASA

You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.

So,

portal2PROFILE = tunnel-group = VPN connections name

GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE

Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.

Please rate if it was any help

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I think the syslog ID 113009 message refers to the Group Policy that was applied to the user

Syslog ID 113019 message seems to refer to the name of the tunnel-group name.

What device are the VPNs on and what software version?

- Jouni

Jouni,

           Thanks a lot Jouni. Whether the values depend on cisco model and software version?coz In our network, we have more than 10 firewalls(I dont know the versions used). I am analyzing the logs to create reports.

           can you explain me what is a tunnel group name? Sorry for the basic questions.

Thanks in advance,

M.Viswesh

Hi,

I'm not sure if the type of device and software matter but just wanted to make sure.

I'm not sure if I got the syslog ID right.

"tunnel-group" is the name of the connection.

  • - For L2L VPN the tunnel-group name in your ASA/PIX configurations is always the remote peer IP address.
    • Like for example "tunnel-group 1.2.3.4 type ipsec-l2l"
  • - For Client VPN the group-name can be anything 
    • Like for example "tunnel-group REMOTE-USER-VPN-01 type ipsec-ra"

With Cisco IPsec VPN Client connections you use the tunnel-group name as the Group name in when you are configuring the VPN connection to your VPN Client software. Pre-shared-key in that situation is the password.

The very basic configurations for L2L VPN tunnel-group would be something like this (for the whole connection you ofcourse need alot more configurations but the tunnel-group configuration has atleast the "pre-shared-key" configuration):

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key ThisIsThekey

For a VPN Client connection the tunnel-group configuration could look something like this (Again not a full configuration):

tunnel-group REMOTE-USER-VPN-01 type ipsec-ra

tunnel-group REMOTE-USER-VPN-01 general-attributes

address-pool REMOTE-VPN-POOL

default-group-policy REMOTE-USER-VPN-01-GP

tunnel-group REMOTE-USER-VPN-01 ipsec-attributes

pre-shared-key ThisIsThekey

- Jouni

Jouni the quick fire,

                        Thanks a lot man , i dont need L2L vpn, for remote client vpn, why the group name differs? let me post you the logs.

<166>Feb 21 2011 10:31:58 FO-ELD-ASA : %ASA-6-113009: AAA retrieved default group policy (GP-FTO-ELD-VPNGROUP) for user = dclem@gmail.com

<164>Feb 21 2011 11:47:14 FO-ELD-ASA : %ASA-4-113019: Group = portal2PROFILE, Username = dclem@gmail.com, IP = 67.xxx.108.162, Session disconnected. Session Type: SSL, Duration: 1h:15m:16s, Bytes xmt: 1831910, Bytes rcv: 365237, Reason: Idle Timeout.

In the above logs, which one i should take it as group? group is different for login and logout log.

Thanks in advance.

M.Viswesh

Hi,

The first message tells that after the user (with the mentioned username) logged in, his connection was applied with the configurations/rules under the "group-policy GP-FTO-ELD-VPNGROUP" on the ASA. The group-policy basicly just lets you define some specific settings to the actual VPN connection. Like which networks the user is allowed to access through the VPN.

show run group-policy displays all the group-policies configured on your ASA

The second messages group tells the name of the actual VPN profile/connection the user was using

show run tunnel-group displays all the tunnel-groups configured on your ASA

You should find the above group-policy GP-FTO-ELD-VPNGROUP configured under the tunnel-group configurations.

So,

portal2PROFILE = tunnel-group = VPN connections name

GP-FTO-ELD-VPNGROUP = group-policy = Contains additional settings for all the users using the VPN connection named portal2PROFILE

Hope this clarifies the thing a bit. I'm not sure if I was able to explain it any better.

Please rate if it was any help

- Jouni

Jouni,

           Thanks a lot. It helped a lot

Hi Jouni,

          I see that 113011 message id log shows user specific group policy. what is the difference between these two log?

But i see they havee different name.

<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113011: AAA retrieved user specific group policy (AWA-VPN-GP02) for user = ktakepoochi

<166>Apr 12 2011 20:29:33 AWT-AA : %ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = ktakepoochi

Regards,

M.Viswesh.

Hi,

I'm not 100% sure but it seems to me that the username "ktakeuchi" has its own "group-policy" configured. If you check the username configurations under ASDM, you can see that you assing "group-policy" straight to the username.

You can also lock the username in question to some specific "tunnel-group".

I can't remember at the moment which setting overrides the other. I think there is certain order in which the "group-policy" rules are applied. I think the settings under "username" configurations apply. If the user didnt have the "group-policy" configured under his username, the "group-policy" configured under the tunnel-group/connection name that the person is using would be applied to the user.

As I said I'm not 100% sure Maybe someone can confirm/correct what I just wrote.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: