• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

View log of client VPN connections and disconnections from a Cisco ASA in Solarwinds

I need to log start and stop times for all client vpn connections that terminate on a Cisco ASA 5510.  I currently use Solarwinds for Syslog and Netflow data, but I'm not exactly sure how to extract and view VPN only data in Solarwinds.

Any ideas?
  • 3
1 Solution
btanExec ConsultantCommented:
I was thinking this may be of relevance and help which uses  Orion Universal Device Poller to monitor with NPM. Separately Cisco has SNMP Object Navigator. The OID in the CISCO-IPSEC-FLOW-MONITOR-MIB can reflect couple of fields which reflects the current number of active tunnels, strat and stop of tunnel in  phase 1/2 and also the remote peer IP address. The navigator list out what the OID represents. There are also discussion on monitoring the ssl vpn , you can check out the steps shared to configure UnDP and view using "Custom Object Resource" (though it did not state the specific OID we are interested for start/end)..

Also from Cisco ASA, you can check out this which stated via console issuing "show vpn-sessiondb l2l" (exmple stated particular peer of interest) and also via ASDM to check the Monitoring section on the VPN information where you will select Site to Site VPN / L2L VPN. This should show the list of L2L VPN connections possibly active on the ASA. But do note the below pertaining the console instructions based on client connection that is of interest.

sh vpn-sessiondb remote (IPSec Remote VPN Clients)
sh vpn-sessiondb l2l (L2L Tunnels)
sh vpn-sessiondb svc (SSL VPN / Anyconnect Clients)
btanExec ConsultantCommented:
Specifically in solarwinds my previous post leads to the showing of the list of vpn
Go to Orion Universal Device Poller.  Add a new sensor and use OID  Make sure your MIB Value Type is Raw Value, Format is None, and SNMP Get Type is GET.  At that point, add your firewalls of interest to the poller.
Go to your Solarwinds view of interest and add a "Custom Object Resource".  Give it your title, choose your node, and for Select object resource, I chose Universal Device Poller - Linear Guage.  Set your gauge maximum value to the maximum number of SSL-VPNs you have licensed.  Set your style of gauge and off you go.  It will now be part of your view.
The gauge will show you both your number of SSL-VPN users graphically on the gauge as well as a number of your currently logged in SSL-VPN users.
see the last post https://thwack.solarwinds.com/thread/51594

For more details
there are some ways to get this to work:
1.create a node with the vpn ip address and icmp poll against that address for up/down stats.
2. setup SNMP Trap alerting; the vpn device will trap on a tunnel going down, and you could use the trap viewer to generate and email based on the trap from with in npm.
3.or you use the Universal Device Poller to monitor these in NPM with the info below:
btanExec ConsultantCommented:
For consideration
ID: 40510741
ID: 41714990
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now