Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5540 AAA Inaccurate VPN Login/Logout Accounting

We have a security department that relies on accurate logging of logins and logouts via AAA. Unfortunately, we have seen a rash of users with a login, but no logouts. Over 400-500 in one week. I have noticed that at some point, in the syslog data, that the user stops sending information and then, after an hour or so, the lines below appear...

2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping

2008-06-13T16:11:57-0400|local4|notice|%ASA-5-713904|a.a.a.a|%ASA-5-713904: IP = b.b.b.b, Received encrypted packet with no matching SA, dropping

After which, the users is just gone, without any indication of their logout in either syslog nor RADIUS server (using AAA).

Our security department uses the RADIUS logs which insert a session ID. They look for the session IDs in pairs, a login and logout. Mostly they are seeing a session ID with no associated logout. The syslog data backs this up as being accurate.

Not sure why this is, we are using v7.2(3).8 of the operating system.

Thanks for any input!

2 REPLIES
Bronze

Re: ASA 5540 AAA Inaccurate VPN Login/Logout Accounting

The error message "Received encrypted packet with no matching SA, dropping " states that the "Security Association" is not matching during the authentication process and so the connection is being dropped.so check for the AAA configuration using the document present in the following url:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html

Silver

Re: ASA 5540 AAA Inaccurate VPN Login/Logout Accounting

I think it connects on different port no then matching on outside interface.

Take debug of crypto isakmp, crypto ipsec you will able to see.

Syslog sometime doesn't show because you have start such logs.

AAA doesn't show because before it hit on AAA server request refused by outside interface on non-matching parameters.

Thanks,

Dharmesh Purohit

327
Views
0
Helpful
2
Replies