You could add this to my ‘Commands I always forget’ post, but since I’m going to turn this into a little bit of a walk through I decided to make it into it’s own post. Most admins use two commands to verify IPSec VPN security associations. Those, of course, are…
ASA# show crypto isakmp sa
and
ASA# show crypto ipsec sa
Both of these commands provide you with a wealth of information about the IPSec connection. However, what about if you start talking about SSL VPN sessions? Or WebVPN sessions? Since these technically aren’t IPSec connections, they don’t show up in the ‘show crpypto’ commands. Below I’ll walk through a couple of commands which show you some more information about all types of VPN connections.
How to see current WebVPN Sessions
ASA# show vpn-sessiondb webvpn
Session Type: WebVPN
Username : langemakj Index : 13
Public IP : 10.20.30.78
Protocol : Clientless
License : SSL VPN
Encryption : RC4 Hashing : SHA1
Bytes Tx : 147092 Bytes Rx : 31993
Group Policy : GP_SSLVPN Tunnel Group : TG_SSLVPN
Login Time : 14:04:01 CST Thu Jul 29 2010
Duration : 0h:00m:11s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Notes: So as you can see, this gives you a ton of info on the connection including the users group policy, tunnel group, and their public IP (Note: I’m testing off of the internal ASA interface hence the RFC 1918 addressing).
How to log off current WebVPN Sessions
ASA# vpn-sessiondb logoff name langemakj
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "langemakj" logged off : 1
Notes: What’s interesting about the log off procedure is that its done by tunnel group or username. Note in this instance, I don’t even have to note that it’s a WebVPN session that I want to log off. Conversely, if I wanted to log off all of the WebVPN sessions I could just input ‘vpn-sessiondb logoff webvpn’ which would log off all users connected to WebVPN.
Wrap up
So now that we have an idea of how it works with WebVPN connections, let’s use the trusty ‘?’ to see what else we can do with the ‘vpn-sessiondb’.
ASA# show vpn-sessiondb ?
detail Show detailed output
email-proxy Email-Proxy sessions
full Output formatted for data management programs
index Index of session
l2l IPsec LAN-to-LAN sessions
ratio Show VPN Session protocol or encryption ratios
remote IPsec Remote Access sessions
summary Show VPN Session summary
svc SSL VPN Client sessions
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
| Output modifiers
<cr>
As you can see, you can use the vpn-sessiondb command to look at each type of VPN connection. While I usually still use the ‘show crypto’ commands for IPSec connections, you HAVE to use the vpn-sessiondb for AnyConnect and WebVPN. Play around with it, remember, the ‘?’ is your best friend!
Whoever ought to have written or created this particular web site need to be a competent in this zone of expertise.
Pingback: asa show users logged in – infopvp