Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5826
Views
0
Helpful
4
Replies

SESSION LOGGING FROM ASA

Go to solution
veltech
Level 1
Level 1

‎11-06-2013 01:05 PM

Hi All,

We have a need to capture session information from ASAs being used for VPN traffic. The requirement is pretty basic but in particular we need to capture information about inbound Any Connect VPNs that will then be permitted to hairpin out to the internet. The minimum information we need to log is Source IP address of VPN client connection, LAN IP allocated and then if hairpining out to the internet the public IP address allocated, and finally VPN user name. We use PRTG network monitor but not sure if this will accept session logs.

Any ideas as to how to achieve this ??

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to veltech

‎11-08-2013 06:36 AM

Hi,

To my understanding if you are already sending Syslogs to a server then for the connection building/teardown messages for VPN users you should see the VPN username inside ().

The Syslog IDs are the usual IDs for connection building/teardown which are

  • 302013 (TCP Build)
  • 302014 (TCP Teardown)
  • 302015 (UDP Build)
  • 302016 (UDP Teardown)

The log message format for TCP connections is for example 

 302013 
Error Message    %ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to 
interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] 
[(user)]





 




  


 


 302014 




Error Message    %ASA-6-302014: Teardown TCP connection id for 
interface:real-address/real-port [(idfw_user)] to 
interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes 
[reason] [(user)]

As you can see they contain the information about the "user" (username), "real address" (ip address the client received), "mapped address"  (public ip address to which the connection was NATed) along with information where the user connected.

EDIT: You mentioned you want to log the source address of actual VPN Connection also? For that you will probably need to look for other Syslog ID.

The information about the actual Syslog message IDs can be found here

http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp4770603

Sadly, I cant really comment on the PRTG

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-07-2013 06:28 AM

The identification information that you mention, source IP, LAN address allocated, user name, and (I believe) address used for translation are available in log records that the ASA would generate. But I am not aware of a way to trigger a log that identifies hairpin traffic.

I wonder if it would be helpful to move this thread to the VPN forum in hopes that some VPN guru might know a way to identifiy hairpin traffic.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
veltech
Level 1
Level 1
In response to Richard Burts

‎11-08-2013 05:55 AM

Hi,

Yes, good idea, now moved to VPN.

Thanks,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to veltech

‎11-08-2013 06:36 AM

Hi,

To my understanding if you are already sending Syslogs to a server then for the connection building/teardown messages for VPN users you should see the VPN username inside ().

The Syslog IDs are the usual IDs for connection building/teardown which are

  • 302013 (TCP Build)
  • 302014 (TCP Teardown)
  • 302015 (UDP Build)
  • 302016 (UDP Teardown)

The log message format for TCP connections is for example 

 302013 
Error Message    %ASA-6-302013: Built {inbound|outbound} TCP connection_id for 
interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to 
interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] 
[(user)]





 




  


 


 302014 




Error Message    %ASA-6-302014: Teardown TCP connection id for 
interface:real-address/real-port [(idfw_user)] to 
interface:real-address/real-port [(idfw_user)] duration hh:mm:ss bytes bytes 
[reason] [(user)]

As you can see they contain the information about the "user" (username), "real address" (ip address the client received), "mapped address"  (public ip address to which the connection was NATed) along with information where the user connected.

EDIT: You mentioned you want to log the source address of actual VPN Connection also? For that you will probably need to look for other Syslog ID.

The information about the actual Syslog message IDs can be found here

http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp4770603

Sadly, I cant really comment on the PRTG

- Jouni

0 Helpful

Go to solution
veltech
Level 1
Level 1
In response to Jouni Forss

‎11-13-2013 02:37 AM

Hi Jouni,

Thank you for your response in regard syslog. We have downloaded a trial of Kiwi Syslog and believe that the combination of your information and the syslog server will provide the information we require. So thank you for your input and help with this question.

Regards,

0 Helpful
Customers Also Viewed These Support Documents