Cisco Logging Doesn't Show VPN Events

I have a Cisco 1811 with Any-Connect SSL VPN configured.  The VPN functionality works just fine, I can use both the Windows client and the Web client and access intranet resources.  However, I have a user using the mac client htat gets a "Unable to establish VPN" error message.

I would like to view the logs to see what the error was, but I do not see any VPN related messages in the logs.  There are no error messages for their attempt or success messages for when I connect.  I get console configured messages and firewall packet drop messages, but nothing related to VPN.

Here's my logging config, I am logging at level 7 according to the SDM:
logging trap debugging
logging internal.sub.net.19

Open in new window


Any ideas?  Suggestions would be greatly appreciated!

Thanks,
Robert
LVL 1
Robert DavisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
Just thinking. You have access lists in place? There is an option 'log' that you can add at the end of those statements. It might not give you all VPN events but perhaps enough to see where it goes wrong.
0
harbor235Commented:


You posted your trap loggin g configuration but where is your syslog config? You also need to remember that syslog is more robust in terms of the number and the detail of event messages.
Traps are a smaller subset of syslog events.

logging buffered informational
logging buffered 1000000

harbor235 ;}
0
Robert DavisAuthor Commented:
Sorry, this is the rest of the logging config, am I missing something from it?
logging message-counter syslog
logging buffered 51200
logging console critical

Open in new window


Thanks,
Robert
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Robert DavisAuthor Commented:
erniebeek: I already do that, that's how come I said I see packet drops (ACL drop matches) in my original post.  What I don't see is anything VPN related :-(.

Regards,
Robert
0
Robert DavisAuthor Commented:
All I can find is this for an ASA, unfortunately the commands are nto comptaible: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809b4754.shtml

logging class auth console debugging 
logging class webvpn console debugging 
logging class ssl console debugging
logging class svc console debugging
        ^

Open in new window

0
harbor235Commented:


"logging buffered informational" provides more messages than "critical", debuggign can be too much. Informational provides those status messgaes you need.

harbor235 ;}
0
Robert DavisAuthor Commented:
I already have logging informational...but don't see any logs relevant to VPN...
0
harbor235Commented:


can u post your sanitized config?

harbor235 ;}
0
Robert DavisAuthor Commented:
Below, thanks!
Building configuration...

Current configuration : 18611 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 1000000
logging console critical
enable secret --snipped--
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone PCTime -8
!
crypto --snipped--
!
!
crypto --snipped--
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name corp.fqdn.tld
ip name-server internal.sub.net.7
ip name-server internal.sub.net.6
ip port-map http port tcp 7880 description PowerSchool
ip port-map user-protocol--1 port tcp 1337
ip port-map user-cwrdp port tcp 16161 description CW RDP
ip port-map user-smtps port tcp 465 description Secure SMTP
ip port-map https port tcp from 2082 to 2087  description cPanel/WHM
ip port-map https port tcp 2222 8888 description DirectAdmin
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username--snipped--
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 103
 match protocol user-protocol--1
class-map type inspect match-any SDM_WEBVPN
 match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
 match class-map SDM_WEBVPN
 match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any ICMP
 match protocol icmp
class-map type inspect match-any IP
 match protocol tcp
 match protocol udp
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any DHCP
 match protocol bootpc
 match protocol bootps
 match protocol dhcp-failover
class-map type inspect match-any Remote-Access
 match protocol ssh
 match protocol shell
 match protocol telnet
class-map type inspect match-any cwrdp
 match protocol user-cwrdp
class-map type inspect match-all sdm-cls-sdm-inspect-8
 match class-map cwrdp
 match access-group name cwrdp
class-map type inspect match-any irc
 match protocol user-protocol--1
class-map type inspect match-all sdm-cls-sdm-inspect-9
 match class-map irc
 match access-group name any
class-map type inspect match-any P2PIM
 match protocol aol
 match protocol msnmsgr
 match protocol ymsgr
 match protocol bittorrent
 match protocol directconnect
 match protocol edonkey
 match protocol fasttrack
 match protocol gnutella
 match protocol kazaa2
 match protocol winmx
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any DNS
 match protocol dns
 match protocol ddns-v3
class-map type inspect match-all sdm-cls-sdm-inspect-2
 match class-map DNS
 match access-group name DNS
class-map type inspect match-any EMail
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
 match protocol pop3
 match protocol pop3s
class-map type inspect match-all sdm-cls-sdm-inspect-3
 match class-map EMail
 match access-group name EMail
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol https
class-map type inspect match-any FTP
 match protocol ftp
 match protocol ftps
class-map type inspect match-all sdm-cls-sdm-inspect-1
 match class-map FTP
 match access-group name FTP
class-map type inspect match-any AnyIP
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-6
 match class-map AnyIP
 match access-group name VPNIn
class-map type inspect match-any smtps
 match protocol user-smtps
class-map type inspect match-all sdm-cls-sdm-inspect-7
 match class-map smtps
 match access-group name smtps
class-map type inspect match-any ntp
 match protocol ntp
class-map type inspect match-all sdm-cls-sdm-inspect-4
 match class-map ntp
 match access-group name NTP
class-map type inspect match-all sdm-cls-sdm-inspect-5
 match class-map IP
 match access-group name VPNOut
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match class-map sdm-service-sdm-inspect-1
 match access-group name outbound
class-map type inspect match-any any
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect 
 class class-default
  drop
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect ICMP
  inspect 
 class type inspect DHCP
  inspect 
 class type inspect Remote-Access
  drop log
 class type inspect P2PIM
 class type inspect sdm-cls-sdm-inspect-9
  inspect 
 class type inspect sdm-cls-sdm-inspect-4
  inspect 
 class type inspect sdm-cls-sdm-inspect-2
  inspect 
 class type inspect sdm-cls-sdm-inspect-1
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect sdm-cls-sdm-inspect-3
  inspect 
 class type inspect sdm-cls-sdm-inspect-7
  inspect 
 class type inspect sdm-cls-sdm-inspect-8
  inspect 
 class type inspect SDM-Voice-permit
  inspect 
 class class-default
  drop log
policy-map type inspect sdm-permit
 class type inspect SDM_WEBVPN_TRAFFIC
  inspect 
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address external.ip.add.ress 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 description TFEC
 switchport mode trunk
!
interface FastEthernet3
 description Gaucholan
 switchport access vlan 28
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Virtual-Template1
 ip unnumbered Loopback0
 zone-member security in-zone
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address internal.sub.net.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Vlan20
 description VoIP
 ip address 192.168.111.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
ip local pool vpn_pool1 vpn.sub.net.2 vpn.sub.net.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 isp.ip.add.ress
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool pool1 internal.sub.net.0 vpn.sub.net.0 netmask 0.0.0.255
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp internal.sub.net.7 1337 external.ip.add.ress 1337 extendable
!
ip access-list extended DNS
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended EMail
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended FTP
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended NTP
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended SDM_WEBVPN
 remark CCP_ACL Category=1
 remark SDM_ACL Category=17
 permit tcp any any eq 443
ip access-list extended VPNIn
 remark SDM_ACL Category=128
 permit ip vpn.sub.net.0 0.0.0.255 internal.sub.net.0 0.0.0.255
ip access-list extended VPNOut
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 vpn.sub.net.0 0.0.0.255
ip access-list extended any
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended cwrdp
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended outbound
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended smtps
 remark SDM_ACL Category=128
 permit ip internal.sub.net.0 0.0.0.255 any
!
logging trap debugging
logging internal.sub.net.19
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit internal.sub.net.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit internal.alternate.net.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 173.13.168.44 0.0.0.3 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark ssh
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 22
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootpc
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootps
access-list 101 remark Web HTTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq www
access-list 101 remark SSL HTTPS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 443
access-list 101 remark DNS
access-list 101 permit udp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark DNS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark POP3
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 101 remark POP3 SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 101 remark SMTP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 101 remark IMAP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 101 remark IMAP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 101 remark PowerSchool
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 7880
access-list 101 remark FTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq ftp
access-list 101 remark FTP PASV
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 35000 36000
access-list 101 remark cPanel/WHM
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 2082 2087
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark SSH
access-list 102 permit tcp any eq 22 internal.sub.net.0 0.0.0.255
access-list 102 remark DHCP
access-list 102 permit udp any eq bootps any
access-list 102 remark DHCP
access-list 102 permit udp any eq bootpc any
access-list 102 remark Web HTTP
access-list 102 permit tcp any eq www internal.sub.net.0 0.0.0.255
access-list 102 remark SSL HTTPS
access-list 102 permit tcp any eq 443 internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit udp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit tcp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark POP3
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 102 remark POP3 SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 102 remark SMTP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 102 remark IMAP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 102 remark IMAP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 102 remark FTP
access-list 102 permit tcp any internal.sub.net.0 0.0.0.255 eq ftp
access-list 102 remark PowerSchool
access-list 102 permit tcp any eq 7880 internal.sub.net.0 0.0.0.255
access-list 102 remark FTP PASV
access-list 102 permit tcp any range 35000 36000 internal.sub.net.0 0.0.0.255
access-list 102 remark cPanel/WHM
access-list 102 permit tcp any range 2082 2087 internal.sub.net.0 0.0.0.255
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host internal.sub.net.7
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip any host external.ip.add.ress
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
no cdp run

!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
banner motd ^CCCC
---------------------------------------------------------------------------

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This computer system is for authorized users only. All activity is logged and
regularly checked by systems personnel. Individuals using this system without
authority or in excess of their authority are subject to having all their
services revoked. Any illegal services run by user or attempts to take down
this server or its services will be reported to local law enforcement, and
said user will be punished to the full extent of the law. Anyone using this
system consents to these terms.

Warning - unauthorized access, attempted access, or use of any State computing
system is a violation of Section 502 of the CaliforniaPenal and/or applicable Federal Laws.

---------------------------------------------------------------------------
^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler interval 500
!
webvpn gateway gateway_1
 ip address external.ip.add.ress port 443  
 http-redirect port 80
 ssl trustpoint TP-self-signed-3686776916
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.3.0254-k9.pkg sequence 1
 !
webvpn context TFVPN
 secondary-color white
 title-color #FF9900
 text-color black
 ssl authenticate verify all
 !
 !
 !
 policy group policy_1
   url-list "Intranet"
   functions svc-enabled
   mask-urls
   svc address-pool "vpn_pool1"
   svc default-domain "corp.fqdn.tld."
   svc keep-client-installed
   svc split dns "corp.fqdn.tld."
   svc split include internal.sub.net.0 255.255.255.0
   svc split include internal.alternate.net.0 255.255.255.0
   svc dns-server primary internal.sub.net.6
   svc dns-server secondary internal.sub.net.7
 virtual-template 1
 default-group-policy policy_1
 aaa authentication list ciscocp_vpn_xauth_ml_1
 gateway gateway_1 domain tfvpn
 max-users 5
 inservice
!
end

Cisco1811#

Open in new window

0
harbor235Commented:


I do not see logging buffered information  ?????  You need to add it


harbor235;}
0
Robert DavisAuthor Commented:
logging buffered informational does not save to running config then it appears...
0
Robert DavisAuthor Commented:
logging buffered 4096 informational

Open in new window


Now it's there...
0
Robert DavisAuthor Commented:
Ah I see, the logging buffered 100000 command overwrote the informational command, I executed the commands in the order suggested above...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.