Category: Networking

From time to time I need to track down a user that is having trouble either connecting to a hosted solution at their datacenter or some other remote connectivity need and they are using a Cisco ASA to handle the VPN connectivity.  In troubleshooting, I like to find out licensing restrictions on the ASA as quite often this is more the problem than not as well as checking for logins currently active.  If I can determine the user has been connected to the VPN endpoint successfully, I can usually escalate this to the right group to assist with whatever the issue might be.

Quickly list VPN sessions on a Cisco Adaptive Security Appliance (ASA).

Some commands you can use:

ciscoasa# sh vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers

Get an overview of all VPN sessions: show vpn-sessiondb summary

ciscoasa# sh vpn-sessiondb summary
Active Session Summary
Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  SSL VPN               :       3 :       2274 :               8
    Clientless only     :       0 :         68 :               2
    With client         :       3 :       2206 :               8 :        0
  IPsec LAN-to-LAN      :      19 :      10367 :              23
  IPsec Remote Access   :       3 :       1743 :               6
  Totals                :      25 :      14384
License Information:
  IPsec   :    250    Configured :    250    Active :     22    Load :   9%
  SSL VPN :     50    Configured :     50    Active :      3    Load :   6%
                            Active : Cumulative : Peak Concurrent
  IPsec               :         22 :      12227 :              27
  SSL VPN             :          3 :       2274 :               8
  Totals              :         25 :      14501
Active NAC Sessions:
  No NAC sessions to display
Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

I like to just look for a user, so I’m interested in only the username listing.  From here I can do more troubleshooting if I find the user connected.

ciscoasa# sh vpn-sessiondb remote | inc Username
Username : user1 Index : 14415
Username : user2 Index : 14840
Username : user3 Index : 14841

To get more detailed information on, say, user1, you can use the index command.

ciscoasa# sh vpn-sessiondb index 14415
Single Session
Username     : user1                   Index        : 14415
Assigned IP  : 172.16.0.104           Public IP    : 12.34.56.78
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 116218822              Bytes Rx     : 8332463
Group Policy : dlm                    Tunnel Group : dlm
Login Time   : 08:04:53 EST Thu Feb 16 2012
Duration     : 6d 0h:17m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

I can also show any users connected via SSL VPN (Cisco AnyConnect)

ciscoasa# sh vpn-sessiondb svc

You can also logoff VPN sessions easily as I’ve outlined in a previous post.

I needed to setup bandwidth shaping on a router recently for testing purposes and decided on the below configuration on my Cisco router.  I know this drops packets and I don’t really care;  this is a guest network and it isn’t mission critical.

policy-map POLICY_GUEST_OUT
 class CLASS_GUEST_OUT
  shape average 1000000
policy-map POLICY_GUEST_IN
 class CLASS_GUEST_IN
  police 1000000 1000 1000 conform-action transmit  exceed-action set-qos-transmit 4 violate-action drop
class-map match-all CLASS_GUEST_IN
 match any
class-map match-any CLASS_GUEST_OUT
 match any
interface GigabitEthernet0/1.102
 encapsulation dot1Q 102
 service-policy input POLICY_GUEST_IN
 service-policy output POLICY_GUEST_OUT

Confirming things are working:

ciscorouter# sh policy-map interface
 GigabitEthernet0/1.102
  Service-policy input: POLICY_GUEST_IN
    Class-map: CLASS_GUEST_IN (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      police:
          cir 1000000 bps, bc 1000 bytes, be 1000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          set-qos-transmit 4
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
  Service-policy output: POLICY_GUEST_OUT
    Class-map: CLASS_GUEST_OUT (match-any)
      3284 packets, 2742876 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/28/0
      (pkts output/bytes output) 3161/2741698
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

References:

• Cisco 1
• Cisco 2

Trying to figure out what some of these mean…
You can use show dot11 assoc to find clients associated to the AP then you can use show dot11 assoc xxxx.xxxx.xxxx to show detailed information for a specific client or even use ‘all-clients’ to show all clients detailed information that are associated to the Access Point.
Here’s the output from show dot11 all-clients

Address           : 0023.68b1.b06a     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Device            : unknown            Software Version : NONE
CCX Version       : NONE               Client MFP       : Off
State             : Assoc              Parent           : self
SSID              : WiFi
VLAN              : 101
Hops to Infra     : 1                  Association Id   : 28
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot 11h
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz
Signal Strength   : -75  dBm           Connected for    : 299 seconds
Signal to Noise   : 21  dB            Activity Timeout : 16 seconds
Power-save        : On                 Last Activity    : 44 seconds ago
Apsd DE AC(s)     : NONE
Packets Input     : 225                Packets Output   : 68
Bytes Input       : 11342              Bytes Output     : 5154
Duplicates Rcvd   : 34                 Data Retries     : 45
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

I need to find out what “Capability : WMM ShortHdr ShortSlot 11h” means and available options. These clients are connecting at lower speeds when they do not have “WMM” in the Capability column.

Manually Configure

router# clock set 10:10:00 November 14 2011

Set the Timezone

router(config)# clock timezone EST -5 0

Configure and Use Network Time Protocol (NTP)

router# ntp server tock.usno.navy.mil prefer

[stextbox id=info big=true]Note that router default timezone is UTC. You should set the timezone accordingly and set the correct offset.[/stextbox]

This is how I have successfully configured a Cisco 2921 Integrated Services Router as a VPN server for remote users…

! [SNIP]
!
aaa new-model
!
!
aaa authentication login VPN_UserAuth group radius
aaa authentication login CLI_UserAuth local
aaa authentication login userauthen group radius
aaa authorization network VPN_GroupAuth local
!
! [SNIP]
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group group1
 key secretp4ssw0rd
 pool group1pool
 acl 101
 save-password
crypto isakmp profile vpn1-ra
   match identity group group1
   client authentication list VPN_UserAuth
   isakmp authorization list VPN_GroupAuth
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile test-vti1
 set transform-set VTI-TS
!
!
! [SNIP]
interface Virtual-Template3 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 172.18.1.1 172.18.1.25
!
! [SNIP]
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.18.1.0 0.0.0.255
!
! [SNIP]
ip radius source-interface GigabitEthernet0/1
radius-server host 10.0.0.10 key remoteauth