- Review ASA configuration to verify Syslog messages are configured properly. The format should be either default (space separated) or CSV. (CEF is not supported.)
- Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In the appliance CLI, enter the following:
tcpdump -nni eth0 host <ASA IP modeled in Inventory> and port 514
Type Ctrl+C to stop the dump.
tcpdump example:
21:40:42.867274 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 113 21:40:42.867366 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 135 21:40:43.065809 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.warning, length: 165
Syslog messages allow association of the Session ID with the remote user via IP address.
- The first two syslog messages provide session ID and IP address.
- The third syslog message provides IP address and remote user ID (without the third message, the appliance can't associate the session with the username.)
Wireshark example of syslog output for a VPN login: User ID (user): myname. VPN IP (tunnelip): 10.4.232.72.
Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737026: IPAA: Session=0x00032000, Client assigned 10.4.232.72 from local pool\n Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737006: IPAA: Session=0x00032000, Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'\n Syslog message: LOCAL4.WARNING: Mar 02 2018 02:01:36: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <98.27.180.191> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session\n
If syslog messages are not being received:
- Confirm the interface name is configured correctly on the ASA. See KB article 193368.
- Confirm UDP 514 is not being blocked in the network.
- If syslog is reaching the appliance, enable debug logs (written to /bsc/logs/output.master):
nacdebug –name CiscoASA true nacdebug –name SyslogServer true tf /bsc/logs/output.master | grep -i "UserName"
- Have the client connect.
- Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.
Example of syslog output for a VPN login User ID (user): myname. VPN IP (tunnelip): 10.4.232.72.
yams.CiscoASA FINER :: 2019-01-24 21:14:37:740 :: ASASyslogListener.parseSyslog parsed [GroupPolicy_MyPolicy, myname, 10.4.232.72] from <164>Jan 25 2019 03:14:37: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <172.56.10.106> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session
- Once troubleshooting is complete, disable debugging:
nacdebug –name CiscoASA false nacdebug –name SyslogServer false
Contact support for further assistance. Open a support ticket and provide the following:
- The FortiNAC software version (x.x.x.x).
- The Cisco ASA version.
- A detailed description of the behavior.
- Troubleshooting steps taken.
- The IP address and username of test client.
- The timeframe in which the behavior was reproduced.
- System logs. (For instructions, see Technical Tip: How to get a debug log report from FortiNAC.)
|