Cisco VPN :: 5520 - Incorrect TCP Session Logs For Remote VPN Users On ASA
Oct 29, 2012
I have a problem on a Cisco ASA5520 version 8.2(5). A customer has set up a syslog to keep tracks of tcp sessions made by vpn users. On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection. When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection. I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed; if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message. I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere. Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example
Source IP 10.10.4.69 Source Port 59886
Destination IP 8.8.8.8 Destination Port 59866
So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping. All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?
We have a site-site and remote vpn configured in same interface in ASA 5520 ( software version 8.3 ). When Remote vpn users try to connect to computers located on the distant end of site-site VPN, their request failed. I tried No-Nat between remote vpn private IP to the remote site private IP, also stated the same in Split tunneling. I cant find even the tracert, ping also timed out.
how the Cisco VPN works, as i already have a post on here about not being able to connect an android device to my firewall, i am now struggling to get an Iphone 3gs iOS v4.3 (8F190) connected to the VPN Either.I have checked the Network (client) Access settings on the firewall, and confirmed the group names im after including the protocols it supports L2TP is Disabled so it looks like i can only connect via IPsec.so i fill out the required details in the IPhone but keep getting a message back from the phone
"The VPN Shared Secret is incorrect"
Now im sure i have this right as i use the same details on my laptop which connects to the VPN perfectly fine. but i am starting to bang my head against the wall, no matter what i try and do i cannot seem to get either device to connect to the firewall.i have a pair of ASA 5520 boxes running cisco software 8.2
i used to remote desktop connection. when i log on to remote computer it say that username or password incorrect, but i remember clearly about my password and username
I have an ASA 5520 with the Intrusion Prevention Module.The time displayed on the ASA is correct.The time displayed in all Intrusion Prevention gadgets is ahead exactly 4 hours.Under configuration, Time the Time Zone is correct, Eastern in my case. The sensor local time on the same page is correct and is grayed out.I only work in the ASDM as I am far from being a CLI person.I don't think the time being off is causing any issues, but it is strange.
I am running two ASA 5520 routers synched up with eachother. I had a massive connectivity issue this weekend that I am investigating. Now I have figured out how to get the live logging but I need to know how to get the old logs from my router.
We’ve got lot of ASA appliances (around 30, 5505/5510/5520) and we never had this problem since the use of the new image software ASA 8.4(1) and ASDM 6.4(1). So, my problem is located on two ASA 5520 with active/passive failover with ASA image 8.4(1) and ASDM image 6.4(1).
My problem is that our appliance doesn’t show any logs when an ACL deny a packet, even if when I specify a specific “deny ACL” with a specific logging condition, asdm and ssh buffer logging are empty but the counters of the ACL increment.
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-DVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
view a history of IPs that have connected to my computer. Specifically those that accessed my computer through a remote desktop connection? I believe I can check and see the ip while someone is connected but not after they disconnected.
I have a newish instance of 5520 running. I am seeing some odd logging issues in that the logs are significantly delayed showing up in the real time viewer. I'll try to connect, say on remote desktop, and will not see the traffic in the viewer for up to 20 seconds or so after I'm already connected to the server. I have not seen this before.
Per PCI & company policy all VPN users have a 12 hour session limit. They will disconnected after 12 hours regardless of use. Is there any way to send a message prior to the 12 hour limit to warn the users that they will be disconnected in x minutes? I'm running SSL VPN on a ASA 5520 ver 8.4(1)
I updated my RV180W to the latest firmware and found that port forwarding works I started using it.I've just noticed that since changing over to the RV180W, my Apacher server logs show the router's IP address instead of the remote IP address - every remote request appears to come from 192.168.0.1.
I using cisco 837 for incoming remote access VPN connections with are working very well but I recently created one outgoing easy vpn connection and I have issue since that time. As soon as easy VPN is up and established successfully I lost remote VPN access to internal subnet.
Where is : Internal subnet: 192.168.172.0/24 remote VPN pool 192.168.24.2-6
Take a look at config attached and point me at missconfiguration
Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2 packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.
Remark: See ASA ADSM:
- 1. Duplicated Phase II (!!) - 2. Phase I - 3. Phase II
I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Built outbound TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 (65.204.x.x/52001) Teardown TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.
ACS 4.2 and remote agent was working properly two months before. But in past two months we are facing weird issue in RA server.For Somedays we are missing logs from both ACS and RA server. Once we notice this we use to restart the services in ACS to give workaround. But due to this we loose our daily logs intermittently and facing risk in without having logs.This is not like communication between ACS and RA is not at all happening. It happens properly for a week or month, but again it is going bad without any config change. CSAgent.ini file is properly configured.Full version is 4.2.1.15 and patch is 10 in acs and ra.ACS and Remote Agent Major and Patch version are same.
I recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn.
Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completly lost. then we have to re-connect the session.
This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didnt have this issue, remote-desktops were never geting lost / reset with single timeout
I'm using a Cisco ASA 5520 with IOS 8.2.2. We have many remote users using the Cisco VPN client, but I have been asked can we logout idle users as we do hit our license limit and some users stay conenct for days.
I have set this up on pre 8.3 code and 8.3 code as well. I have the following configured on the ASA, but it is not working and I am not seeing the ASA trying to NAT the VPN pool IP address that the client gets assigned.
We are using Any connect vpn client (v2.5.3055) to an ASA 5520 (v8.4) in a development environment. We use our corporate Radius server to authenticate users. We have certain users which need have the same IP address every time they lo gin. As it is configured now, the IP addresses are assigned sequentially from the pool. Is there a way to allow certain users to get the same IP address each time they log on?
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
I am new at ASA 5520 and CSC module (version 6.3). I would like to know what configurations are possible for my network users if i use the CSC trend micro blocking using IP address or AD users, I know that i could select users/groups from the windows AD or select the IP addresses that i want to use for blocking or permit HTTP traffic (URL, etc).
My question is on the client side, how the CSC knows what AD users is the one that is requesting certain HTTP pages, or if i user a proxy server, i lose the IP/users options on the CSC??..or i could use authentication options on the proxy for example?.
I have been looking information about this but the manuals only explain the configuration options that i could configure on the CSC Trend Micro page, but it doesn't say which network environment i could use or need.
