What, if any, event ID is created on domain controller when a user logs off VPN?

Posted on 2010-08-31
Last Modified: 2012-05-10
I am attempting to use our Network Monitoring program to send an email alert when a user is granted access to, denied access to, or logs off our VPN. I am able to filter out IAS 1 for access granted, IAS 2 for access denied, but am having issues finding anything for when a user logs off their VPN client.

We use CISCO Anytime connect VPN and I DON'T see any other IAS messages besides Event ID 1 and Event ID 1. Our domain controller is on Windows Server 2003.
Question by:kyates57
  • 3
LVL 12

Accepted Solution

Rant32 earned 500 total points
ID: 33571857
Unfortunately, you will not see the logoff events. The IAS messages you see are generated when the VPN client authenticates to your VPN access router/firewall. The VPN router forwards the credentials to AD via RADIUS. IAS is not involved when disconnecting.

If the monitoring program supports SNMP, you may be able to generate an SMTP trap when VPN logon/logoff occurs.
LVL 12

Expert Comment

ID: 33571871
Oh, the VPN router is the device that knows when the client disconnects, any traps or reports should come from there.

Author Comment

ID: 33571873
Let me investigate, and if I find a solution, I will post it, else, I'll mark yours as the solution. Thanks for your time!
LVL 12

Expert Comment

ID: 33571882
Did I say SMTP trap? Been doing too much of that lately. That should be SNMP.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question