What, if any, event ID is created on domain controller when a user logs off VPN?

Posted on 2010-08-31
Last Modified: 2012-05-10
I am attempting to use our Network Monitoring program to send an email alert when a user is granted access to, denied access to, or logs off our VPN. I am able to filter out IAS 1 for access granted, IAS 2 for access denied, but am having issues finding anything for when a user logs off their VPN client.

We use CISCO Anytime connect VPN and I DON'T see any other IAS messages besides Event ID 1 and Event ID 1. Our domain controller is on Windows Server 2003.
Question by:kyates57
  • 3
LVL 12

Accepted Solution

Rant32 earned 500 total points
ID: 33571857
Unfortunately, you will not see the logoff events. The IAS messages you see are generated when the VPN client authenticates to your VPN access router/firewall. The VPN router forwards the credentials to AD via RADIUS. IAS is not involved when disconnecting.

If the monitoring program supports SNMP, you may be able to generate an SMTP trap when VPN logon/logoff occurs.
LVL 12

Expert Comment

ID: 33571871
Oh, the VPN router is the device that knows when the client disconnects, any traps or reports should come from there.

Author Comment

ID: 33571873
Let me investigate, and if I find a solution, I will post it, else, I'll mark yours as the solution. Thanks for your time!
LVL 12

Expert Comment

ID: 33571882
Did I say SMTP trap? Been doing too much of that lately. That should be SNMP.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Site-to-Site VPN Cisco ASA 5505 to Cisco RV320 4 154
What is this Task? 4 112
Gateway Resilience 4 57
Access denied running PowerPivot -SQL Server 2014 on Windows Server 2012 10 30
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question