How To Check Cisco ASA VPN Activity Using Syslog

On occasion you might need to check your logs to see a certain user’s VPN activity. If you are using a syslog server there are a couple things you can look for that will provide you with the name of the user who logged in, the date and time, the IP address they connect from, and the VPN group.

1. Open syslog file. It will depend on how your logs are setup; daily, monthly, yearly, etc.
2. Search for the username you want to see VPN activity for. The log will contain the time the session started, the name of the user connecting, the name of the VPN profile used, the IP they connected from. The start of a VPN session will look like this:

2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-5-713130: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Received unsupported transaction mode attribute: 5
2009-3-28 22:37:20 Local4.Error 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-3-713119: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, PHASE 1 COMPLETED
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:18 PST: %ASA-vpn-5-713075: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:19 PST: %ASA-vpn-5-713049: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Security negotiation complete for User (jsmith) Responder, Inbound SPI = 0xd759e860, Outbound SPI = 0x0d4b19d5
2009-3-28 22:37:20 Local4.Notice 10.255.255.1 :Mar 28 22:37:19 PST: %ASA-vpn-5-713120: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, PHASE 2 COMPLETED (msgid=5a5f9c4c)

This tells us that a user named jsmith connected on 3/23/09 at 22:37:20. The user was part of the ASA group Cisco-VPN and the IP the user connected from was 75.104.195.48.

3. To see when the user disconnected and to see how long they were connected you will look for the following entry:

2009-3-29 01:04:30 Local4.Notice 10.255.255.1 :Mar 29 01:04:39 PST: %ASA-vpn-5-713050: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Connection terminated for peer jsmith. Reason: Peer Terminate Remote Proxy 10.254.0.10, Local Proxy 0.0.0.0
2009-3-29 01:04:30 Local4.Warning10.255.255.1 :Mar 29 01:04:39 PST: %ASA-auth-4-113019: Group = Cisco-VPN, Username = jsmith, IP = 75.104.195.48, Session disconnected. Session Type: IPsec, Duration: 1h:23m:29s, Bytes xmt: 6224550, Bytes rcv: 1082700, Reason: User Requested

This tells us that user jsmith disconected on 3/23/09 at 01:04:30, total connection duration was 1h:23m:29s, and the session was terminated at the user's request.

This example was based on a Cisco ASA, but should be relevant to other firewalls as well.

See NEWEST Cisco books here

 

Subscribe

Subscribe to our e-mail newsletter to receive updates.

, , ,

2 Responses to How To Check Cisco ASA VPN Activity Using Syslog

  1. Ismail June 3, 2012 at 3:48 am #

    kindly, what is the specific command that needs to activate the VPN access logging inside the ASA with IOS version 8.4

  2. admin June 6, 2012 at 11:25 pm #

    Hello lsmail

    Im not sure if there is a way to log only VPN access with the ASA. This article assumes you have syslog enabled and are sending these messages to a syslog server. The command to turn on logging is “logging enable”. So far example hostname(config)# logging enable.

    For the specific steps on configuring syslog messages to a server you can view the instructions here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_syslog.html#wp1484246

    If you dont have a syslog server setup there are some free ones available which you should be able to find with a quick google search. I hope this helps you.

Leave a Reply