AnyConnect Syslog Troubleshooting

I recently was presented with the challenge of logging ALL of the pertinent connection, disconnection, and termination messages associated with the Cisco SSL AnyConnect client without overwhelming the syslog capture display with extraneous messages. This blog will briefly outline the applicable log messages and what they do, along with some screenshots displaying both the provisioning in ASDM and the behavior in the log itself.

Listed below are blocks of syslog message ID’s appropriate for AnyConnect connectivity issues for the Cisco ASA security appliance running OS8.2. Rather than give a specific for each and every log message, message ranges are listed along with a general description of what the messages are indicating. Later we will describe how we adjusted the log levels.

113001 – 113009 - AAA Success/Failures for user authentication/group authorization
716001 – 716023 - WebVPN group-specific access functions for a user success/failure
716038 – 716040 - User-specific login success/failure/failure due to reboot
716043 – 716045 - WebVPN port-forwarding / AAA parameter problems
716052 – 716057 - Server-terminated sessions, Single-Sign-On login status
719022 – 719023 - WebVPN user authentication success / failure
721016 – 721019 - WebVPN session creation / deletion
722001 – 722028 - SVC connection success / failure issues
722032 – 722038 - SVC connection establishment / termination
722042 – 722053 - ASA VPN server issues (software, config, etc.)
725001 – 725015 - SSL session establishment / termination
734001 – 734005 - Dynamic Access Policy (DAP) messages
737001 – 737019 - IP Address Assignment (IPAA) messages
737024 – 737026 - IP Address Assignment (IPAA) messages, continued

Once the preceding blocks of messages were identified, the log levels for these messages were changed using ASDM to Alert level as shown in the following screenshot:

With this process repeated for each range illustrated above, the next step was to set logging to go to a specific facility (ASDM, mail, syslog server, etc.) to this same level (Alert) to minimize the messages:

The resulting output in the ASDM logging window is shown below. Note the authentication failure on the top row of the display:

Arguably, fewer messages could have been enabled than were chosen, as some of the messages (syslog IDs 722001 – 722038) apply only to the older version of the SSL VPN client, SVC 1.x. Secondly, the WebVPN messages were added as the AnyConnect client can be launched from within the browser-initiated SSL login. Last of all, the range of syslog message identifiers is not only specific to the level of code on the ASA, but also will vary between platforms.

Author: Doug McKillip

References
Cisco ASA Series 5500 System Log Messages, 8.2