ASA logging to include user id

I no longer have a CCO account and am looking for help with capturing user setup/teardown information (VPN users) from my ASA logs.

Here is a snippet of the logs:
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0  
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0

And according to the following from the Cisco documentation, I should be able to get the username (see the last brackets), correct??:
•      %ASA-6-302020: Built ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]
•      %ASA-6-302021: Teardown ICMP connection connection_id from interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] to interface:real-address/real-port (mapped-address/mapped-port) [(idfw_user)] [(user)]

How can I capture the user information identified in those brackets?  Need to know user setup/teardown activity, need to capture this.

Thanks
Ted
Ted JamesAsked:
Who is Participating?
 
arnoldCommented:
Check which events you are logging, seems you xauth, your logging seems to only log the initial VPN setup, not including the xauth user aithorization/authentication.

The page you saw the example, shoukd include the command to enable the event.

Are you using tacacs+ aaa to record ........ Sessions?
1
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Is Cisco ASA used as VPN Server? If yes, what type of VPN configuration are you using (IPsec, WebVPN...). You need to add some logging messages to see their output. Example: logging list xxx message 713228 & logging list xxx message 722022.
0
 
Ted JamesAuthor Commented:
We are using TACACS+ for all internal users but I am not sure if it includes the VPN users who are not just weekend warriors but sometimes outside clients.
Not doing IPsec.  WebVPN is being used.

What is the correct logging statement to put in the ASA to allow the user data to be included in the ASA logs?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arnoldCommented:
what credentials do the outside warriors provide to setup the VPN? If they do not have a username/password not sure how a username will be reflected in the VPN setup.
0
 
Ted JamesAuthor Commented:
They do username and password.  They use Anyconnect as the client.
0
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
can you please share the vpn configuration on ASA?
0
 
arnoldCommented:
This most likely as was suggested by Mustafa that your logging includes webvpn

https://supportforums.cisco.com/t5/vpn/cisco-asa-webvpn-acl-logging/td-p/1717010
logging class webvpn .......

show your logging configuration...

show config | in logging
1
 
Ted JamesAuthor Commented:
Can't do the whole thing but here is a snippet of what I think is relevant from the config (I hope).  It looks like I'm missing that one logging command?  Anything else strikes you?

logging enable
logging timestamp
logging trap debugging
logging buffered informational
logging host REMOTE-USER-SYSLOG 17.40.38.60


aaa-server acs tacacs protocol tacacs+
aaa-server acs tacacs (REMOTE-USER-SYSLOG) host 17.a.b.c
user-identity default-domain LOCAL
aaa authentication enable console acs tacacs LOCAL
aaa authentication ssh console acs tacacs LOCAL
aaa authorization exec authentication-server auto-enable
0
 
arnoldCommented:
do you have an option to logging class webvpn?
Do not know for sure whether webvpn is auto logged when logging is enabled. check the webvpn configuration to see whether it has a log event selected.
0
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Post also the output of show run tunnel-group, show run group-policy, and show run webvpn
0
 
Ted JamesAuthor Commented:
Outputs enclosed below.

So would the following logging command allow user information (user ID) to be displayed in the syslogs?

"logging class webvpn trap informational"    (or as an option choose "debugging" instead of "informational, either way would it show any user details)


Outputs of what you asked:

webvpn
 enable outside
 hostscan image disk0:/hostscan_4.3.08-k9.pkg
 hostscan enable
 anyconnect image disk0:/anyconnect-win-4.2.03-k9.pkg 1
 anyconnect profiles Remotes disk0:/remotes.xml
 anyconnect profiles Partners disk0:/partners.xml
 anyconnect enable
 keepout "Use AnyConnect."
 cache
  disable
 error-recovery disable


group-policy DefGroupPol attributes
 wins-server value 17.1.2.3
 dns-server value 8.8.8.4
 vpn-session-timeout 720
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ssl-client
 default-domain value xyz.com
group-policy Remotes_Pol internal
group-policy Remotes_Pol attributes
 wins-server value 17.2.3.4
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain value xyz.com
 address-pools value Remotes_IP_Pool
 webvpn
  anyconnect profiles value Remotes type user
group-policy Partners_Pol internal
group-policy Partners_Pol attributes
 wins-server value 17.1.2.3
 dns-server value 8.8.8.6
 vpn-tunnel-protocol ssl-client
 address-pools value Partners_IP_Pool
 webvpn
  anyconnect profiles value Partners type user
dynamic-access-policy-record DefAccessPol
 description "Deny."
 action terminate
dynamic-access-policy-record LAPTOP-Allow
 description "Approved LAPTOP with Cisco AnyConnect"
 priority 50
action terminate
 priority 30



tunnel-group DefRemoteAccess general-attributes
 authentication-server-group SSL
tunnel-group DefWebVPN general-attributes
 authentication-server-group SSL
 accounting-server-group SSL


Thank you,
Ted
0
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hello Ted,
Try to add the following command: logging message 722051. This command will display the below information in syslog messages:

%ASA-6-722051: Group group-policy User username IP public-ip IPv4 Address assigned-ip IPv6 Address assigned-ip  assigned to session

Explanation The specified address has been assigned to the given user.
• group-policy —The group policy that allowed the user to gain access
• username —The name of the user
• public-ip —The public IP address of the connected client
• assigned-ip —The IPv4 or IPv6 address that is assigned to the client
0
 
Ted JamesAuthor Commented:
Thanks for the info.

So apparently I was initially looking at the wrong logs for user connections?  

Is my understanding correct that the logs ASA-6-302020 and  ASA-6-302021 are for ICMP (most likely Ping?) connection setups only?

Thanks in advance.

To be honest I wasn't aware of any authentication (xauth or otherwise) used for icmp other than acls for blocking/allowing.  But there is an "icmp inspect" command in there  -but still nothing about user authentication.
0
 
arnoldCommented:
xauth is a secondary username/password to authorize the user for VPN access.
ICMP is a ping.
i.e. first step is VPN setup, xauth kicks in to see whether the user on the other side of the VPN is authorized.
This deals with having a single Remote VPN policy deployed to many users and then only active users with credential will complete the VPN setup process.
The other option deals with setting up different remote VPN policies with distinct preshared ...
0
 
Ted JamesAuthor Commented:
For my initial example however, it looks to me now that it has nothing to do with the VPN setup. Something I didn't consider before.   Is that right?


•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0  
•      Dec 18 19:57:56 192.168.110.160 : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.126.90/55555 gaddr 192.168.104.120/0 laddr 192.168.104.120/0


Look at the timestamps -immediate one after the other. Isn't that just a log event for a ping?
0
 
Ted JamesAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.