From time to time I need to track down a user that is having trouble either connecting to a hosted solution at their datacenter or some other remote connectivity need and they are using a Cisco ASA to handle the VPN connectivity. In troubleshooting, I like to find out licensing restrictions on the ASA as quite often this is more the problem than not as well as checking for logins currently active. If I can determine the user has been connected to the VPN endpoint successfully, I can usually escalate this to the right group to assist with whatever the issue might be.
Quickly list VPN sessions on a Cisco Adaptive Security Appliance (ASA).
Some commands you can use:
ciscoasa# sh vpn-sessiondb ? detail Show detailed output email-proxy Email-Proxy sessions full Output formatted for data management programs index Index of session l2l IPsec LAN-to-LAN sessions ratio Show VPN Session protocol or encryption ratios remote IPsec Remote Access sessions summary Show VPN Session summary svc SSL VPN Client sessions vpn-lb VPN Load Balancing Mgmt sessions webvpn WebVPN sessions | Output modifiers
Get an overview of all VPN sessions: show vpn-sessiondb summary
ciscoasa# sh vpn-sessiondb summary Active Session Summary Sessions: Active : Cumulative : Peak Concurrent : Inactive SSL VPN : 3 : 2274 : 8 Clientless only : 0 : 68 : 2 With client : 3 : 2206 : 8 : 0 IPsec LAN-to-LAN : 19 : 10367 : 23 IPsec Remote Access : 3 : 1743 : 6 Totals : 25 : 14384 License Information: IPsec : 250 Configured : 250 Active : 22 Load : 9% SSL VPN : 50 Configured : 50 Active : 3 Load : 6% Active : Cumulative : Peak Concurrent IPsec : 22 : 12227 : 27 SSL VPN : 3 : 2274 : 8 Totals : 25 : 14501 Active NAC Sessions: No NAC sessions to display Active VLAN Mapping Sessions: No VLAN Mapping sessions to display
I like to just look for a user, so I’m interested in only the username listing. From here I can do more troubleshooting if I find the user connected.
ciscoasa# sh vpn-sessiondb remote | inc Username Username : user1 Index : 14415 Username : user2 Index : 14840 Username : user3 Index : 14841
To get more detailed information on, say, user1, you can use the index command.
ciscoasa# sh vpn-sessiondb index 14415 Single Session Username : user1 Index : 14415 Assigned IP : 172.16.0.104 Public IP : 12.34.56.78 Protocol : IKE IPsecOverNatT License : IPsec Encryption : DES 3DES Hashing : MD5 SHA1 Bytes Tx : 116218822 Bytes Rx : 8332463 Group Policy : dlm Tunnel Group : dlm Login Time : 08:04:53 EST Thu Feb 16 2012 Duration : 6d 0h:17m:22s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none
I can also show any users connected via SSL VPN (Cisco AnyConnect)
ciscoasa# sh vpn-sessiondb svc
You can also logoff VPN sessions easily as I’ve outlined in a previous post.