AnyConnect Syslog Troubleshooting

I recently was presented with the challenge of logging ALL of the pertinent connection, disconnection, and termination messages associated with the Cisco SSL AnyConnect client without overwhelming the syslog capture display with extraneous messages. This blog will briefly outline the applicable log messages and what they do, along with some screenshots displaying both the provisioning in ASDM and the behavior in the log itself.

Listed below are blocks of syslog message ID’s appropriate for AnyConnect connectivity issues for the Cisco ASA security appliance running OS8.2. Rather than give a specific for each and every log message, message ranges are listed along with a general description of what the messages are indicating. Later we will describe how we adjusted the log levels.

113001 – 113009 – AAA Success/Failures for user authentication/group authorization
716001 – 716023 – WebVPN group-specific access functions for a user success/failure
716038 – 716040 – User-specific login success/failure/failure due to reboot
716043 – 716045 – WebVPN port-forwarding / AAA parameter problems
716052 – 716057 – Server-terminated sessions, Single-Sign-On login status
719022 – 719023 – WebVPN user authentication success / failure
721016 – 721019 – WebVPN session creation / deletion
722001 – 722028 – SVC connection success / failure issues
722032 – 722038 – SVC connection establishment / termination
722042 – 722053 – ASA VPN server issues (software, config, etc.)
725001 – 725015 – SSL session establishment / termination
734001 – 734005 – Dynamic Access Policy (DAP) messages
737001 – 737019 – IP Address Assignment (IPAA) messages
737024 – 737026 – IP Address Assignment (IPAA) messages, continued

Once the preceding blocks of messages were identified, the log levels for these messages were changed using ASDM to Alert level as shown in the following screenshot:

With this process repeated for each range illustrated above, the next step was to set logging to go to a specific facility (ASDM, mail, syslog server, etc.) to this same level (Alert) to minimize the messages:

The resulting output in the ASDM logging window is shown below. Note the authentication failure on the top row of the display:

Arguably, fewer messages could have been enabled than were chosen, as some of the messages (syslog IDs 722001 – 722038) apply only to the older version of the SSL VPN client, SVC 1.x. Secondly, the WebVPN messages were added as the AnyConnect client can be launched from within the browser-initiated SSL login. Last of all, the range of syslog message identifiers is not only specific to the level of code on the ASA, but also will vary between platforms.

Author: Doug McKillip

References
Cisco ASA Series 5500 System Log Messages, 8.2

In this article

Join the Conversation

4 comments

  1. Eldhose Reply

    I could see an ankle bracket (<) extra in some of the Cisco ASA logs, could some one tell me about the significance of the bracket.

    ex: %ASA-4-716052: Group User IP Pending session terminated.

    I’m working as a log analyst,so just wondering why only some of logs have the bracket.

    1. Doug McKillip Reply

      Could you please provide a detailed example? Your sample above did not have the bracket in question.

      Thanks,
      Doug

      1. Eldhose Reply

        Please fidn the below log which has ankle brackets…..

        Feb 11 2008 11:23:18 ciscoasa : %ASA-6-716038: Group User IP Authentication: successful, Session Type: WebVPN.
        Feb 13 2008 12:28:01 ciscoasa : %ASA-3-716056: Group User IP Authentication to SSO server name: type failed reason: DNS
        Feb 13 2008 12:32:41 ciscoasa : %ASA-5-716053: New SSO Server added: Name: Type:
        Feb 13 2008 12:32:46 ciscoasa : %ASA-5-716054: New SSO Server deleted: Name: Type:

        I see this bracket comes only with some of the logs not all.

  2. Eldhose Reply

    Hi McKilip,

    Donot know why…the ankle brackets are disappear when i put them in the blog, if you could give me your mail id i can send it to that