Robert Davis
asked on
Cisco Logging Doesn't Show VPN Events
I have a Cisco 1811 with Any-Connect SSL VPN configured. The VPN functionality works just fine, I can use both the Windows client and the Web client and access intranet resources. However, I have a user using the mac client htat gets a "Unable to establish VPN" error message.
I would like to view the logs to see what the error was, but I do not see any VPN related messages in the logs. There are no error messages for their attempt or success messages for when I connect. I get console configured messages and firewall packet drop messages, but nothing related to VPN.
Here's my logging config, I am logging at level 7 according to the SDM:
Any ideas? Suggestions would be greatly appreciated!
Thanks,
Robert
I would like to view the logs to see what the error was, but I do not see any VPN related messages in the logs. There are no error messages for their attempt or success messages for when I connect. I get console configured messages and firewall packet drop messages, but nothing related to VPN.
Here's my logging config, I am logging at level 7 according to the SDM:
logging trap debugging
logging internal.sub.net.19
Any ideas? Suggestions would be greatly appreciated!
Thanks,
Robert
Just thinking. You have access lists in place? There is an option 'log' that you can add at the end of those statements. It might not give you all VPN events but perhaps enough to see where it goes wrong.
You posted your trap loggin g configuration but where is your syslog config? You also need to remember that syslog is more robust in terms of the number and the detail of event messages.
Traps are a smaller subset of syslog events.
logging buffered informational
logging buffered 1000000
harbor235 ;}
ASKER
Sorry, this is the rest of the logging config, am I missing something from it?
Thanks,
Robert
logging message-counter syslog
logging buffered 51200
logging console critical
Thanks,
Robert
ASKER
erniebeek: I already do that, that's how come I said I see packet drops (ACL drop matches) in my original post. What I don't see is anything VPN related :-(.
Regards,
Robert
Regards,
Robert
ASKER
All I can find is this for an ASA, unfortunately the commands are nto comptaible: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809b4754.shtml
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
logging class svc console debugging
^
"logging buffered informational" provides more messages than "critical", debuggign can be too much. Informational provides those status messgaes you need.
harbor235 ;}
ASKER
I already have logging informational...but don't see any logs relevant to VPN...
can u post your sanitized config?
harbor235 ;}
ASKER
Below, thanks!
Building configuration...
Current configuration : 18611 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 1000000
logging console critical
enable secret --snipped--
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -8
!
crypto --snipped--
!
!
crypto --snipped--
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name corp.fqdn.tld
ip name-server internal.sub.net.7
ip name-server internal.sub.net.6
ip port-map http port tcp 7880 description PowerSchool
ip port-map user-protocol--1 port tcp 1337
ip port-map user-cwrdp port tcp 16161 description CW RDP
ip port-map user-smtps port tcp 465 description Secure SMTP
ip port-map https port tcp from 2082 to 2087 description cPanel/WHM
ip port-map https port tcp 2222 8888 description DirectAdmin
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username--snipped--
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any IP
match protocol tcp
match protocol udp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any DHCP
match protocol bootpc
match protocol bootps
match protocol dhcp-failover
class-map type inspect match-any Remote-Access
match protocol ssh
match protocol shell
match protocol telnet
class-map type inspect match-any cwrdp
match protocol user-cwrdp
class-map type inspect match-all sdm-cls-sdm-inspect-8
match class-map cwrdp
match access-group name cwrdp
class-map type inspect match-any irc
match protocol user-protocol--1
class-map type inspect match-all sdm-cls-sdm-inspect-9
match class-map irc
match access-group name any
class-map type inspect match-any P2PIM
match protocol aol
match protocol msnmsgr
match protocol ymsgr
match protocol bittorrent
match protocol directconnect
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any DNS
match protocol dns
match protocol ddns-v3
class-map type inspect match-all sdm-cls-sdm-inspect-2
match class-map DNS
match access-group name DNS
class-map type inspect match-any EMail
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol pop3
match protocol pop3s
class-map type inspect match-all sdm-cls-sdm-inspect-3
match class-map EMail
match access-group name EMail
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
match protocol https
class-map type inspect match-any FTP
match protocol ftp
match protocol ftps
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map FTP
match access-group name FTP
class-map type inspect match-any AnyIP
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-6
match class-map AnyIP
match access-group name VPNIn
class-map type inspect match-any smtps
match protocol user-smtps
class-map type inspect match-all sdm-cls-sdm-inspect-7
match class-map smtps
match access-group name smtps
class-map type inspect match-any ntp
match protocol ntp
class-map type inspect match-all sdm-cls-sdm-inspect-4
match class-map ntp
match access-group name NTP
class-map type inspect match-all sdm-cls-sdm-inspect-5
match class-map IP
match access-group name VPNOut
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match class-map sdm-service-sdm-inspect-1
match access-group name outbound
class-map type inspect match-any any
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect ICMP
inspect
class type inspect DHCP
inspect
class type inspect Remote-Access
drop log
class type inspect P2PIM
class type inspect sdm-cls-sdm-inspect-9
inspect
class type inspect sdm-cls-sdm-inspect-4
inspect
class type inspect sdm-cls-sdm-inspect-2
inspect
class type inspect sdm-cls-sdm-inspect-1
inspect
class type inspect sdm-protocol-http
inspect
class type inspect sdm-cls-sdm-inspect-3
inspect
class type inspect sdm-cls-sdm-inspect-7
inspect
class type inspect sdm-cls-sdm-inspect-8
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
drop log
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address external.ip.add.ress 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description TFEC
switchport mode trunk
!
interface FastEthernet3
description Gaucholan
switchport access vlan 28
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security in-zone
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address internal.sub.net.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan20
description VoIP
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
ip local pool vpn_pool1 vpn.sub.net.2 vpn.sub.net.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 isp.ip.add.ress
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool pool1 internal.sub.net.0 vpn.sub.net.0 netmask 0.0.0.255
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp internal.sub.net.7 1337 external.ip.add.ress 1337 extendable
!
ip access-list extended DNS
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended EMail
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended FTP
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended NTP
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
remark SDM_ACL Category=17
permit tcp any any eq 443
ip access-list extended VPNIn
remark SDM_ACL Category=128
permit ip vpn.sub.net.0 0.0.0.255 internal.sub.net.0 0.0.0.255
ip access-list extended VPNOut
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 vpn.sub.net.0 0.0.0.255
ip access-list extended any
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended cwrdp
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended outbound
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended smtps
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
!
logging trap debugging
logging internal.sub.net.19
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit internal.sub.net.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit internal.alternate.net.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 173.13.168.44 0.0.0.3 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark ssh
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 22
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootpc
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootps
access-list 101 remark Web HTTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq www
access-list 101 remark SSL HTTPS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 443
access-list 101 remark DNS
access-list 101 permit udp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark DNS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark POP3
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 101 remark POP3 SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 101 remark SMTP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 101 remark IMAP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 101 remark IMAP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 101 remark PowerSchool
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 7880
access-list 101 remark FTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq ftp
access-list 101 remark FTP PASV
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 35000 36000
access-list 101 remark cPanel/WHM
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 2082 2087
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark SSH
access-list 102 permit tcp any eq 22 internal.sub.net.0 0.0.0.255
access-list 102 remark DHCP
access-list 102 permit udp any eq bootps any
access-list 102 remark DHCP
access-list 102 permit udp any eq bootpc any
access-list 102 remark Web HTTP
access-list 102 permit tcp any eq www internal.sub.net.0 0.0.0.255
access-list 102 remark SSL HTTPS
access-list 102 permit tcp any eq 443 internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit udp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit tcp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark POP3
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 102 remark POP3 SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 102 remark SMTP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 102 remark IMAP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 102 remark IMAP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 102 remark FTP
access-list 102 permit tcp any internal.sub.net.0 0.0.0.255 eq ftp
access-list 102 remark PowerSchool
access-list 102 permit tcp any eq 7880 internal.sub.net.0 0.0.0.255
access-list 102 remark FTP PASV
access-list 102 permit tcp any range 35000 36000 internal.sub.net.0 0.0.0.255
access-list 102 remark cPanel/WHM
access-list 102 permit tcp any range 2082 2087 internal.sub.net.0 0.0.0.255
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host internal.sub.net.7
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip any host external.ip.add.ress
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
banner motd ^CCCC
---------------------------------------------------------------------------
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This computer system is for authorized users only. All activity is logged and
regularly checked by systems personnel. Individuals using this system without
authority or in excess of their authority are subject to having all their
services revoked. Any illegal services run by user or attempts to take down
this server or its services will be reported to local law enforcement, and
said user will be punished to the full extent of the law. Anyone using this
system consents to these terms.
Warning - unauthorized access, attempted access, or use of any State computing
system is a violation of Section 502 of the CaliforniaPenal and/or applicable Federal Laws.
---------------------------------------------------------------------------
^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler interval 500
!
webvpn gateway gateway_1
ip address external.ip.add.ress port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3686776916
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.3.0254-k9.pkg sequence 1
!
webvpn context TFVPN
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
!
policy group policy_1
url-list "Intranet"
functions svc-enabled
mask-urls
svc address-pool "vpn_pool1"
svc default-domain "corp.fqdn.tld."
svc keep-client-installed
svc split dns "corp.fqdn.tld."
svc split include internal.sub.net.0 255.255.255.0
svc split include internal.alternate.net.0 255.255.255.0
svc dns-server primary internal.sub.net.6
svc dns-server secondary internal.sub.net.7
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1 domain tfvpn
max-users 5
inservice
!
end
Cisco1811#
I do not see logging buffered information ????? You need to add it
harbor235;}
ASKER
logging buffered informational does not save to running config then it appears...
ASKER
logging buffered 4096 informational
Now it's there...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.