Monitor failed Cisco Anyconnect VPN connection attempts


(charles b) #1

Our clients should authenticate via certificate but for our DR datacentre site ASA authentications are failing. All works Ok from the same Anyconnect client to the ASA at our primary datacentre.
Can someone point me in the right direction how to check the ASA log files to get some sort of error message or reason for the failures.
The command line log file only has a couple of pages of entries.
I’m guessing i can use ASDM real time log viewer. But what search criteria do i enter. The users username shows no entries.
Many thanks in advance.


(Lazaros Agapides) #2

Hello Charles

It is possible to configure syslog messages to be sent when the user connects and disconnects. There are various kinds of connections that can be logged including anyconnect/ssl vpn clients.

For VPN client based connections like AnyConnect, the syslogs are usually of the form 722xxx. For example, connect is 722022 and disconnect is 722023. You can find additional related messages here:

As for the configuration of the logging, this can be done either with command line or ADSM configuration methods. Take a look at the following link which includes aspects of both of these options:

I hope this has been helpful to get you started.

Laz


(charles b) #3

Just to update our resolution to this issue.

It was caused by us upgrading our Cisco Anyconnect clients to version 4 and a bug / feature in the way that works with ASA version 9.6 !!

In Cisco ASA version 9.6 and Anyconnect client version 4 the backup vpn connection url needs to have the user group profile explicitly defined.

So for example if your user group profile = ACME-VPN
Anyconnect version 4 does not have the intelligence to apply the user group profile ACME-VPN to the backup server vpn-backup.ACME.co.uk. It has to be explicity defined.

So on the ASA connection profile the BackupServerList HostAddress vpn url needed with Anyconnect version 4 = vpn-backup.ACME.co.uk/ACME-VPN

Anyconnect version 3 had the intelligence to apply the user group profile ACME-VPN to the backup server vpn-backup.ACME.co.uk.
So on the ASA connection profile BackupServerList HostAddress vpn url needed = vpn-backup.ACME.co.uk


(Lazaros Agapides) #4

Charles thanks so much for sharing your resolution to the problem. Such post are extremely valuable to all forum users.

Thanks once again!

Laz