List Connected VPN Users on Cisco ASA

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

From time to time I need to track down a user that is having trouble either connecting to a hosted solution at their datacenter or some other remote connectivity need and they are using a Cisco ASA to handle the VPN connectivity.  In troubleshooting, I like to find out licensing restrictions on the ASA as quite often this is more the problem than not as well as checking for logins currently active.  If I can determine the user has been connected to the VPN endpoint successfully, I can usually escalate this to the right group to assist with whatever the issue might be.

Quickly list VPN sessions on a Cisco Adaptive Security Appliance (ASA).

Some commands you can use:

ciscoasa# sh vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers

Get an overview of all VPN sessions: show vpn-sessiondb summary

ciscoasa# sh vpn-sessiondb summary
Active Session Summary
Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  SSL VPN               :       3 :       2274 :               8
    Clientless only     :       0 :         68 :               2
    With client         :       3 :       2206 :               8 :        0
  IPsec LAN-to-LAN      :      19 :      10367 :              23
  IPsec Remote Access   :       3 :       1743 :               6
  Totals                :      25 :      14384
License Information:
  IPsec   :    250    Configured :    250    Active :     22    Load :   9%
  SSL VPN :     50    Configured :     50    Active :      3    Load :   6%
                            Active : Cumulative : Peak Concurrent
  IPsec               :         22 :      12227 :              27
  SSL VPN             :          3 :       2274 :               8
  Totals              :         25 :      14501
Active NAC Sessions:
  No NAC sessions to display
Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

I like to just look for a user, so I’m interested in only the username listing.  From here I can do more troubleshooting if I find the user connected.

ciscoasa# sh vpn-sessiondb remote | inc Username
Username : user1 Index : 14415
Username : user2 Index : 14840
Username : user3 Index : 14841

To get more detailed information on, say, user1, you can use the index command.

ciscoasa# sh vpn-sessiondb index 14415
Single Session
Username     : user1                   Index        : 14415
Assigned IP  : 172.16.0.104           Public IP    : 12.34.56.78
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 116218822              Bytes Rx     : 8332463
Group Policy : dlm                    Tunnel Group : dlm
Login Time   : 08:04:53 EST Thu Feb 16 2012
Duration     : 6d 0h:17m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

I can also show any users connected via SSL VPN (Cisco AnyConnect)

ciscoasa# sh vpn-sessiondb svc

You can also logoff VPN sessions easily as I’ve outlined in a previous post.

#cisco