Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
5
Helpful
8
Replies

Is it possible to log AnyConnect Client Version?

baldwintm
Level 1
Level 1

‎04-22-2014 10:56 AM - edited ‎02-21-2020 07:36 PM

When I connect with the Cisco VPN Client (IPSec), the version shows up in the syslog (%ASA-6-713184). If I do an EasyVPN connection, the version shows up in the log. But when I do an AnyConnect VPN connection, the version does NOT show up in the logs. 

Is there a way to get that information to show up in the ASA logs?

Labels:
0 Helpful
8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-22-2014 11:26 AM

For SSL, user agent - version and OS is shown in vpn-sessiondb.

0 Helpful

baldwintm
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-22-2014 11:30 AM

That will only show my a point-in-time. Not historical record. 

I'm specifically looking to be able to look in the logs to see how many of my users have not updated the AnyConnect iOS App for the Heartbleed vulnerability.

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to baldwintm

‎04-22-2014 11:37 AM

Hi,

 

I believe there is no syslog id through which you can capture this information. You have to manually capture this information by running commands:

show vpn-sess any

show vpn-sess web

 

The only thing you can do is that update Anyconnect cleint on the server and who so ever is going to connect to the server with lower version of Anyconnect, they will be upgraded to the latest version that is there on the ASA. This will fix your probem regarding the Anyconnect versions.

 

Vishnu

0 Helpful

baldwintm
Level 1
Level 1
In response to Vishnu Sharma

‎04-22-2014 11:39 AM

Unfortunately, that won't work for the Apple iOS clients. They will need to upgrade via the Apple App store.

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to baldwintm

‎04-23-2014 04:02 AM

Hi,

 

The problem with logging anyconnect connection is that they do not have any syslog id assigned. They are just random. For ex. I will show you the debug for a successful connection:

ASA-TEST# clear webvpn_rx_data_tunnel_connect

CSTP state = HEADER_PROCESSING
http_parse_cstp_method()
l...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
webvpn_cstp_parse_request_field()
...input: 'Host: x.x.32.25'
Processing CSTP header line: 'Host: x.x.32.25'
webvpn_cstp_parse_request_field()
...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05160'
Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05160'
Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.1.05160'
webvpn_cstp_parse_request_field()
...input: 'Cookie: webvpn=64FDE7@114688@9029@59DB266BD760CEF24326FB8879932CF0EA8B38BC'
Processing CSTP header line: 'Cookie: webvpn=64FDE7@114688@9029@59DB266BD760CEF24326FB8879932CF0EA8B38BC'
Found WebVPN cookie: 'webvpn=64FDE7@114688@9029@59DB266BD760CEF24326FB8879932CF0EA8B38BC'
WebVPN Cookie: 'webvpn=64FDE7@114688@9029@59DB266BD760CEF24326FB8879932CF0EA8B38BC'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Version: 1'
Processing CSTP header line: 'X-CSTP-Version: 1'
Setting version to '1'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Hostname: TEST-WIN7'
Processing CSTP header line: 'X-CSTP-Hostname: TEST-WIN7'
Setting hostname to: 'TEST-WIN7'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1280'
Processing CSTP header line: 'X-CSTP-MTU: 1280'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Address-Type: IPv6,IPv4'
Processing CSTP header line: 'X-CSTP-Address-Type: IPv6,IPv4'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Local-Address-IP4: x.x.166.98'
Processing CSTP header line: 'X-CSTP-Local-Address-IP4: X.X.166.98'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1300'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1300'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Remote-Address-IP4: x.x.32.25'
Processing CSTP header line: 'X-CSTP-Remote-Address-IP4: X.X.32.25'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Full-IPv6-Capability: true'
Processing CSTP header line: 'X-CSTP-Full-IPv6-Capability: true'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Master-Secret: 56AC22A325958DF18DD07AF9270D0501962B5935E06F4051172D9843B0C9C10F6BA82E3D4B014C583C6B19D1CFA7C5B4'
Processing CSTP header line: 'X-DTLS-Master-Secret: 56AC22A325958DF18DD07AF9270D0501962B5935E06F4051172D9843B0C9C10F6BA82E3D4B014C583C6B19D1CFA7C5B4'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
Processing CSTP header line: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Accept-Encoding: lzs'
Processing CSTL header line: 'X-DTLS-Accept-Encoding: lzs'
webvpn_cstp_parse_request_field()
...input: 'X-DTLS-Header-Pad-Length: 0'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Accept-Encoding: lzs,deflate'
Processing CSTP header line: 'X-CSTP-Accept-Encoding: lzs,deflate'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_ipv6_address: No IPv6 Address
o sho loggsho debugsho logg         webvpn_cstp_accept_address: 20.20.20.20/255.255.255.0
CSTP state = HAVE_ADDRESS
SVC: NP setup
np_svc_create_session(0x1C000, 0xa930a180, TRUE)
webvpn_svc_np_setup
SVC ACL Name: NULL
SVC ACL ID: -1
vpn_put_uauth success for ip 20.20.20.20!
No SVC ACL
Iphdr=20 base-mtu=1300 def-mtu=1500 conf-mtu=1406
tcp-mss = 1260
path-mtu = 1260(mss)
TLS Block size = 8
mtu = 1260(path-mtu) - 0(opts) - 5(ssl) = 1255
mod-mtu = 1255(mtu) & 0xfff8(complement) = 1248
tls-mtu = 1248(mod-mtu) - 8(cstp) - 20(mac) - 1(pad) = 1219
DTLS Block size = 8
mtu = 1300(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 8(dtlsiv) = 1251
mod-mtu = 1251(mtu) & 0xfff8(complement) = 1248
dtls-mtu = 1248(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1226
computed tls-mtu=1219 dtls-mtu=1226 conf-mtu=1406
DTLS enabled for intf=2 (outside)
tls-mtu=1219 dtls-mtu=1226
SVC: adding to sessmgmt
Unable to initiate NAC, NAC might not be enabled or invalid policy
SVC: Sending response
Sending X-CSTP-Remote-Address-IP4: x.x.166.98
Sending X-CSTP-Local-Address-IP4: x.x.32.25
Sending X-CSTP-DNS: 4.2.2.2
Sending X-CSTP-Split-Include msgs: for ACL - split: Start
    Sending X-CSTP-Split-Include: 192.168.0.0/255.255.0.0

Sending X-CSTP-MTU: 1219
Sending X-DTLS-MTU: 1226
Sending X-CSTP-FW-RULE msgs: Start
Sending X-CSTP-FW-RULE msgs: Done
Sending X-CSTP-Quarantine: false
Sending X-CSTP-Disable-Always-On-VPN: false
Sending X-CSTP-Client-Bypass-Protocol: false
CSTP state = CONNECTED

 

Here, you can see the anyconnect version and other relevant information however these messages do not have any log message id assigned to them so we cannot use any logging for capturing this information. You can try setting up third party SNMP server which can capture this information and inform you whenever a user connects or disconnects.

 

Hope this helps.

 

Vishnu

0 Helpful

baldwintm
Level 1
Level 1
In response to Vishnu Sharma

‎04-23-2014 05:36 AM

Why doesn't it use ASA-6-713184?

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to baldwintm

‎04-23-2014 02:25 PM

It is because, 713184 is being used to detect client version for the IPSec VPN clients. For SSL they have not assigned any log id.

 

bravotom99
Level 1
Level 1

‎04-23-2014 01:53 PM

Are you using hostscan to do any posture checking?  You can create a DAP rule to check client version and then just check your syslogs to see who matched the rule

0 Helpful
Customers Also Viewed These Support Documents