ASA Logging – Logging IPSec on Cisco ASA

cisco-asaipsecvpn

Can someone gave some hints on how to enable logging on IPSec tunnel on ASA ? I have typical scenario S2S IPSec and i like to monitor when it goes down and other information. But can't find a way to do this.

Best Answer

General Logging

To log IPSec events, you will want to run the following commands:

logging enable
logging emblem ! (optional for Cisco's emblem format)
logging timestamp
logging buffered notifications

Some of these commands will already be on your ASA as you're sending your buffered log to an FTP server. I won't include the FTP commands due to this. Then you will want to look for the specific codes you're interested in, in the log on the FTP server.

Example IPSec L2L disconnect message:

%ASA-4-113019: Group = 202.XXX.YYY.ZZZ, Username = 202.XXX.YYY.ZZZ, IP = 202.XXX.YYY.ZZZ, Session disconnected. Session Type: LAN-to-LAN, Duration: 1d 1h:13m:46s, Bytes xmt: 372142455, Bytes rcv: 384146009, Reason: Lost Service

Emailed Notifications

First create your list of events you want to catch.

Catch All IPSec List

logging list IPSec_Notifications level notification class vpn

Specific Event List

logging list IPSec_Notifications message 113019
! Replace XXXXXX with next code
logging list IPSec_Notifications message XXXXXX
! Repeat for the rest of the codes you're interested in

Now setup the email settings.

logging mail IPSec_Notifications
logging from-address your-from-address@your-domain.com
logging recipient-address who-should-receive-emails@your-domain.com level notifications
smtp-server X.X.X.X ! Replace with your SMTP server IP

Notes

All of the logging above is limited to notifications and higher level (i.e. level 5, 4, 3, 2 and 1). If you find a code of a lower level, you will need to replace level notifications with level informational or level debugging.

The example event above (ASA-4-113019) is level warnings which you can see from the ASA-4 prefix on the event.

Related Topic