ASA logging to include user id

I no longer have a CCO account and am looking for help with capturing user setup/teardown information (VPN users) from my ASA logs.

Here is a snippet of the logs:
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0  
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0

And according to the following from the Cisco documentation, I should be able to get the username (see the last brackets), correct??:
•      %ASA-6-302020: Built ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
•      %ASA-6-302021: Teardown ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]

How can I capture the user information identified in those brackets?  Need to know user setup/teardown activity, need to capture this.

Thanks
Ted
Ted JamesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Check which events you are logging, seems you xauth, your logging seems to only log the initial VPN setup, not including the xauth user aithorization/authentication.

The page you saw the example, shoukd include the command to enable the event.

Are you using tacacs+ aaa to record ........ Sessions?
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Is Cisco ASA used as VPN Server? If yes, what type of VPN configuration are you using (IPsec, WebVPN...). You need to add some logging messages to see their output. Example: logging list xxx message 713228 & logging list xxx message 722022.
0
Ted JamesAuthor Commented:
We are using TACACS+ for all internal users but I am not sure if it includes the VPN users who are not just weekend warriors but sometimes outside clients.
Not doing IPsec.  WebVPN is being used.

What is the correct logging statement to put in the ASA to allow the user data to be included in the ASA logs?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

arnoldCommented:
what credentials do the outside warriors provide to setup the VPN? If they do not have a username/password not sure how a username will be reflected in the VPN setup.
0
Ted JamesAuthor Commented:
They do username and password.  They use Anyconnect as the client.
0
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
can you please share the vpn configuration on ASA?
0
arnoldCommented:
This most likely as was suggested by Mustafa that your logging includes webvpn

https://supportforums.cisco.com/t5/vpn/cisco-asa-webvpn-acl-logging/td-p/1717010
logging class webvpn .......

show your logging configuration...

show config | in logging
1
Ted JamesAuthor Commented:
Can't do the whole thing but here is a snippet of what I think is relevant from the config (I hope).  It looks like I'm missing that one logging command?  Anything else strikes you?

logging enable
logging timestamp
logging trap debugging
logging buffered informational
logging host REMOTE-USER-SYSLOG 17.40.38.60


aaa-server acs tacacs protocol tacacs+
aaa-server acs tacacs (REMOTE-USER-SYSLOG) host 17.a.b.c
user-identity default-domain LOCAL
aaa authentication enable console acs tacacs LOCAL
aaa authentication ssh console acs tacacs LOCAL
aaa authorization exec authentication-server auto-enable
0
arnoldCommented:
do you have an option to logging class webvpn?
Do not know for sure whether webvpn is auto logged when logging is enabled. check the webvpn configuration to see whether it has a log event selected.
0
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Post also the output of show run tunnel-group, show run group-policy, and show run webvpn
0
Ted JamesAuthor Commented:
Outputs enclosed below.

So would the following logging command allow user information (user ID) to be displayed in the syslogs?

"logging class webvpn trap informational"    (or as an option choose "debugging" instead of "informational, either way would it show any user details)


Outputs of what you asked:

webvpn
 enable outside
 hostscan image disk0:/hostscan_4.3.08-k9.pkg
 hostscan enable
 anyconnect image disk0:/anyconnect-win-4.2.03-k9.pkg 1
 anyconnect profiles Remotes disk0:/remotes.xml
 anyconnect profiles Partners disk0:/partners.xml
 anyconnect enable
 keepout "Use AnyConnect."
 cache
  disable
 error-recovery disable


group-policy DefGroupPol attributes
 wins-server value 17.1.2.3
 dns-server value 8.8.8.4
 vpn-session-timeout 720
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ssl-client
 default-domain value xyz.com
group-policy Remotes_Pol internal
group-policy Remotes_Pol attributes
 wins-server value 17.2.3.4
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain value xyz.com
 address-pools value Remotes_IP_Pool
 webvpn
  anyconnect profiles value Remotes type user
group-policy Partners_Pol internal
group-policy Partners_Pol attributes
 wins-server value 17.1.2.3
 dns-server value 8.8.8.6
 vpn-tunnel-protocol ssl-client
 address-pools value Partners_IP_Pool
 webvpn
  anyconnect profiles value Partners type user
dynamic-access-policy-record DefAccessPol
 description "Deny."
 action terminate
dynamic-access-policy-record LAPTOP-Allow
 description "Approved LAPTOP with Cisco AnyConnect"
 priority 50
action terminate
 priority 30



tunnel-group DefRemoteAccess general-attributes
 authentication-server-group SSL
tunnel-group DefWebVPN general-attributes
 authentication-server-group SSL
 accounting-server-group SSL


Thank you,
Ted
0
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hello Ted,
Try to add the following command: logging message 722051. This command will display the below information in syslog messages:

%ASA-6-722051: Group group-policy User username IP public-ip IPv4 Address assigned-ip IPv6 Address assigned-ip  assigned to session

Explanation The specified address has been assigned to the given user.
• group-policy —The group policy that allowed the user to gain access
• username —The name of the user
• public-ip —The public IP address of the connected client
• assigned-ip —The IPv4 or IPv6 address that is assigned to the client
0
Ted JamesAuthor Commented:
Thanks for the info.

So apparently I was initially looking at the wrong logs for user connections?  

Is my understanding correct that the logs ASA-6-302020 and  ASA-6-302021 are for ICMP (most likely Ping?) connection setups only?

Thanks in advance.

To be honest I wasn't aware of any authentication (xauth or otherwise) used for icmp other than acls for blocking/allowing.  But there is an "icmp inspect" command in there  -but still nothing about user authentication.
0
arnoldCommented:
xauth is a secondary username/password to authorize the user for VPN access.
ICMP is a ping.
i.e. first step is VPN setup, xauth kicks in to see whether the user on the other side of the VPN is authorized.
This deals with having a single Remote VPN policy deployed to many users and then only active users with credential will complete the VPN setup process.
The other option deals with setting up different remote VPN policies with distinct preshared ...
0
Ted JamesAuthor Commented:
For my initial example however, it looks to me now that it has nothing to do with the VPN setup. Something I didn't consider before.   Is that right?


•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0  
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0


Look at the timestamps -immediate one after the other. Isn't that just a log event for a ping?
0
Ted JamesAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.