Troubleshooting Tip: Troubleshooting syslog for Cisco ASA VPN integrations

cmaheu · ‎09-22-2022

Description

This article describes the steps to use to verify the appliance is receiving and processing syslog in Cisco ASA VPN integrations. For integration details, see Cisco ASA VPN Integration reference manual in the document Library.

Scope

FortiNAC 8.x & 9.x.

Solution

Review ASA configuration to verify Syslog messages are configured properly. The format should be either default (space separated) or CSV. (CEF is not supported.)
Using tcpdump, confirm syslog messages are reaching the appliance when client connects. In the appliance CLI, enter the following:

tcpdump -nni eth0 host <ASA IP modeled in Inventory> and port 514

Type Ctrl+C to stop the dump.

tcpdump example:

21:40:42.867274 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 113
21:40:42.867366 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.info, length: 135
21:40:43.065809 IP <ASA IP>.syslog > <VPN.server>.syslog: SYSLOG local4.warning, length: 165

Syslog messages allow association of the Session ID with the remote user via IP address.

The first two syslog messages provide session ID and IP address.
The third syslog message provides IP address and remote user ID (without the third message, the appliance can't associate the session with the username.)

Wireshark example of syslog output for a VPN login:
User ID (user): myname.
VPN IP (tunnelip): 10.4.232.72.

Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737026: IPAA: Session=0x00032000, Client assigned 10.4.232.72 from local pool\n
Syslog message: LOCAL4.INFO: Mar 02 2018 02:01:36: %ASA-6-737006: IPAA: Session=0x00032000, Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'\n
Syslog message: LOCAL4.WARNING: Mar 02 2018 02:01:36: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <98.27.180.191> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session\n

If syslog messages are not being received:

Confirm the interface name is configured correctly on the ASA. See KB article 193368.
Confirm UDP 514 is not being blocked in the network.

If syslog is reaching the appliance, enable debug logs (written to /bsc/logs/output.master):

nacdebug –name CiscoASA true
nacdebug –name SyslogServer true
tf /bsc/logs/output.master | grep -i "UserName"

Have the client connect.
Review output.master for syslog messaging that provides User ID, assigned endstation VPN IP address, and session information.

Example of syslog output for a VPN login
User ID (user): myname.
VPN IP (tunnelip): 10.4.232.72.

yams.CiscoASA FINER :: 2019-01-24 21:14:37:740 :: ASASyslogListener.parseSyslog parsed [GroupPolicy_MyPolicy, myname, 10.4.232.72] from <164>Jan 25 2019 03:14:37: %ASA-4-722051: Group <GroupPolicy_MyPolicy> User <myname> IP <172.56.10.106> IPv4 Address <10.4.232.72> IPv6 address <::> assigned to session

Once troubleshooting is complete, disable debugging:

nacdebug –name CiscoASA false
nacdebug –name SyslogServer false

Contact support for further assistance. Open a support ticket and provide the following:

The FortiNAC software version (x.x.x.x).
The Cisco ASA version.
A detailed description of the behavior.
Troubleshooting steps taken.
The IP address and username of test client.
The timeframe in which the behavior was reproduced.
System logs. (For instructions, see Technical Tip: How to get a debug log report from FortiNAC.)