FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Description This article describes the steps to use to verify the appliance is receiving and processing syslog in Cisco ASA VPN integrations. For integration details, see Cisco ASA VPN Integration reference manual in the document Library.
Scope Version: 8.x & 9.x
Solution

1) Review ASA configuration to verify Syslog messages are configured properly. Format should be either default (space separated) or CSV. (CEF is not supported).

 

2) Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In appliance CLI type


tcpdump -nni eth0 host <ASA IP modeled in Inventory> and port 514

 

Type ctrl-C to stop


tcpdump example:


21:40:42.867274 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 113
21:40:42.867366 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 135
21:40:43.065809 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.warning, length: 165


Syslog messages allow association of the Session ID to the remote user via IP address.
- 1st 2 syslog messages provide session ID and IP address
- 3rd syslog message provides IP address and remote user ID (Without the third message, appliance can't associate the session to the username)


Wireshark example of syslog output for a VPN login:
User ID (user): myname
VPN IP (tunnelip): 10.4.232.72


Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737026: IPAA: Session=0x00032000, Client assigned 10.4.232.72 from local pool\n
Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737006: IPAA: Session=0x00032000, Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'\n
Syslog message: LOCAL4.WARNING: Mar 02 2018 02:01:36: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <98.27.180.191> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session\n

 

If syslog messages are not being received:


- Confirm Interface name is configured correctly on the ASA. See KB article 193368.
- Confirm UDP 514 is not being blocked in the network.


3) If syslog is reaching the appliance, enable debugs (written to /bsc/logs/output.master):


nacdebug –name CiscoASA true
nacdebug –name SyslogServer true
tf /bsc/logs/output.master | grep -i "UserName"

 

4) Have client connect.

 

5) Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.

 

Example of syslog output for a VPN login
User ID (user): myname
VPN IP (tunnelip): 10.4.232.72

 

yams.CiscoASA FINER :: 2019-01-24 21:14:37:740 :: ASASyslogListener.parseSyslog parsed [GroupPolicy_MyPolicy, myname, 10.4.232.72] from <164>Jan 25 2019 03:14:37: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <172.56.10.106> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session


6) Once troubleshooting is complete, disable debugging:


nacdebug –name CiscoASA true
nacdebug –name SyslogServer true

 

Contact Support for further assistance.  Open a support ticket and provide the following:

  • Software version (x.x.x.x).
  • FortiGate version.
  • Detailed description of behavior.
  • Troubleshooting steps taken.
  • IP address and username of test client.
  • Timeframe behavior was reproduced.
  • System logs (For instructions see KB article 190755).
Contributors