- Bronze, 100 points or more
Usually when we have a problem with a VPN user attempting to connect
to an inside service, we turn to our ASA syslogs to determine where the
connection is being prohibited (or other errors such as the user trying
to connect to the wrong machine.) This works fine for normally configured
(UNIX) servers which send an ICMP reject message. Recently we had to
diagnose problems connecting to an inside Windows device, and although
the VPN client had attempted to connect, no log message was produced
because the connection never got a TCP RST nor ICMP reject.
From what I can suss out from MSDN, turning off "stealth mode" on Windows
boxes to return those boxes to sane ICMP reject behavior is either not completely
supported, or at the very least misguidedly discouraged by Microsoft, and so I
might not be able to convince various Windows administrators to alter this policy.
Is there a way to get log messages bearing the IP tuples for TCP and/or UDP
incomplete connections where the ASA sees only packets destined for an inside host?
This would be for a small number (<50) of VPN remote clients, so we
are not very worried about a DDOS saturating the logs -- these packets are
not attacks just mistakes.
We would need this to happen even for single packets, and without actually
dropping traffic from the initiator, so threat-detection probably won't do the
trick here, unless it can be made to audit-only on single packets.
VPN is all this ASA device is doing, so it likely an afford the CPU for configurations
normally deemed too CPU intense.