VPN-Filter debugging on the Cisco ASA
This blog posting is building off of my previous post on ACL debugging. I am not going to go into a lot of detail for the topics covered in that blog post, so go back and take a read if you need to brush up on Cisco ASA logging.
VPN-Filtering can be hard to troubleshoot. VPN-filters are not intuitive for most Cisco folks, as the order of the source and destination fields in the ACLs are not the same as a normal ACL. That is, the remote side of the VPN tunnel is ALWAYS placed in the first IP/Subnet field (The source address in most Cisco ACLs). I swear that I’m not making this up! Feel free to take a good look at this documentation to verify that this is true.
So, other than watching hit counters, how do we know which ACL (if any) is being hit by a VPN-filter? Building off of the previous blog posting on ACL debugging, this is pretty easy to do.
- The ACL line(s) in question need the LOG keyword added to them. This does NOT require removing and reinserting the rule or any other disruptive behavior. You can modify the LOG keyword with ACLs in place. MY ACL that I specified in my group-policy to do my VPN filtering is ACL 110. My ACL 110 looks like this:
access-list 110 line 1 extended permit ip any any
I am going to add the LOG keyword to the end of this ACL entry in Global Config mode:
access-list 110 line 1 extended permit ip any any log - Now we are going to add message 106102 to a logging list. You can add it to an existing list or you can create a new one. The name of my list is my-vpn-filter.
logging list my-vpn-filter message 106102 - Now we monitor the logging list from your ssh session:
logging monitor my-vpn-filter - Finally, turn on logging messages to your ssh session:
terminal monitor
At this point, generate traffic for the VPN. If the traffic matches one of your VPN-Filter rules, you should see a syslog message. I saw this:
Here we see that the remote IP address of 192.168.0.101 tried to contact a server on our side at 10.26.26.102 on TCP port 22 and the packet was permitted/allowed by access-list 110 (The VPN-filter). Additionally, we can even see WHICH ACE allowed this traffic. Notice the hex number at the end of the log message: 0x4976b668.
Grep the ACL for that hex number using the show access-list command (NOTE: NOT “show run access-list”).
access-list 110 line 1 extended permit ip any any (hitcnt=1279) 0x4976b668
The above output shows that line 1 of ACL 110 was the line that triggered the syslog message
Clean up – While in your session, you can turn the ssh logging messages on and off “at will” with
These syslog messages are at the Priority/Level: ERROR. So, depending on how you are logging and at what level, you may wish to remove the log keyword from your ACL. Again, this can be done without removing or otherwise interrupting any network flows. To remove the LOG keyword, modify each ACL with “LOG default”:
And, if you wish, stop the ssh session from monitoring the logging list:
Commands without comment:
logging list my-vpn-filter message 106102
logging monitor my-vpn-filter
terminal monitor
2 Responses to “VPN-Filter debugging on the Cisco ASA”
Leave a Reply
What if we use standard ACL to protect traffic from/to RA VPN clients (I mean vpn-filter command)? All documentation say about extended ACL in context to vpn-filter.
Did anyone try it? It seems to work as well but then only local LAN ip addresses (addresses that are accessed by RA clients) are verified.
Can someone confirm that?
regards,
Gabriel
I am not having any log enabling logging on my vpn filter acl. I have tried on both L2L and RA tunnels, and while the vpn filter permits/denies as it should no message is ever generated. Would it be possible to send me the whole config to see if I am missing something?