How To Check Cisco ASA VPN Activity Using Syslog

Home » Cisco, Firewalls » How To Check Cisco ASA VPN Activity Using Syslog

How To Check Cisco ASA VPN Activity Using Syslog

Written by admin on July 1, 2009 – 9:59 am -

On occasion you might need to check your logs to see a certain user’s VPN activity. If you are using a syslog server there are a couple things you can look for that will provide you with the name of the user who logged in, the date and time, the IP address they connect from, and the VPN group.

1. Open syslog file. It will depend on how your logs are setup; daily, monthly, yearly, etc.
2. Search for the username you want to see VPN activity for. The log will contain the time the session started, the name of the user connecting, the name of the VPN profile used, the IP they connected from. The start of a VPN session will look like this:

2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-5-713130: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Received unsupported transaction mode attribute: 5
2009-3-28 22:37:20 Local4.Error 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-3-713119: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, PHASE 1 COMPLETED
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-5-713075: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:19 PST: %ASA-vpn-5-713049: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Security negotiation complete for User (jsmith) Responder, Inbound SPI = 0xd759e860, Outbound SPI = 0x0d4b19d5
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:19 PST: %ASA-vpn-5-713120: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, PHASE 2 COMPLETED (msgid=5a5f9c4c)

This tells us that a user named jsmith connected on 3/23/09 at 22:37:20. The user was part of the ASA group Cisco-VPN and the IP the user connected from was 75.104.195.48.

3. To see when the user disconnected and to see how long they were connected you will look for the following entry:

2009-3-29 01:04:30 Local4.Notice 10.255.255.1 :Mar 29 01:04:39 PST: %ASA-vpn-5-713050: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Connection terminated for peer jsmith. Reason: Peer Terminate Remote Proxy 10.254.0.10, Local Proxy 0.0.0.0
2009-3-29 01:04:30 Local4.Warning10.255.255.1 :Mar 29 01:04:39 PST: %ASA-auth-4-113019: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Session disconnected. Session Type: IPsec, Duration: 1h:23m:29s, Bytes xmt: 6224550, Bytes rcv: 1082700, Reason: User Requested

This tells us that user jsmith disconected on 3/23/09 at 01:04:30, total connection duration was 1h:23m:29s, and the session was terminated at the user's request.

This example was based on a Cisco ASA, but should be relevant to other firewalls as well.

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition)