Showing and logging off VPN sessions via the ASA CLI

You could add this to my ‘Commands I always forget’ post, but since I’m going to turn this into a little bit of a walk through I decided to make it into it’s own post.  Most admins use two commands to verify IPSec VPN security associations.  Those, of course, are…

ASA# show crypto isakmp sa

and

ASA# show crypto ipsec sa

Both of these commands provide you with a wealth of information about the IPSec connection.  However, what about if you start talking about SSL VPN sessions?  Or WebVPN sessions?  Since these technically aren’t IPSec connections, they don’t show up in the ‘show crpypto’ commands.  Below I’ll walk through a couple of commands which show you some more information about all types of VPN connections.

How to see current WebVPN Sessions
ASA# show vpn-sessiondb webvpn
Session Type: WebVPN
Username     : langemakj              Index        : 13
Public IP    : 10.20.30.78
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 147092                 Bytes Rx     : 31993
Group Policy : GP_SSLVPN              Tunnel Group : TG_SSLVPN
Login Time   : 14:04:01 CST Thu Jul 29 2010
Duration     : 0h:00m:11s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
Notes: So as you can see, this gives you a ton of info on the connection including the users group policy, tunnel group, and their public IP (Note: I’m testing off of the internal ASA interface hence the RFC 1918 addressing).

How to log off current WebVPN Sessions
ASA# vpn-sessiondb logoff name langemakj
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "langemakj" logged off : 1
Notes: What’s interesting about the log off procedure is that its done by tunnel group or username.  Note in this instance, I don’t even have to note that it’s a WebVPN session that I want to log off.  Conversely, if I wanted to log off all of the WebVPN sessions I could just input ‘vpn-sessiondb logoff webvpn’ which would log off all users connected to WebVPN.

Wrap up
So now that we have an idea of how it works with WebVPN connections, let’s use the trusty ‘?’ to see what else we can do with the ‘vpn-sessiondb’.

ASA# show vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers
  <cr>

As you can see, you can use the vpn-sessiondb command to look at each type of VPN connection.  While I usually still use the ‘show crypto’ commands for IPSec connections, you HAVE to use the vpn-sessiondb for AnyConnect and WebVPN.  Play around with it, remember, the ‘?’ is your best friend!

1 thought on “Showing and logging off VPN sessions via the ASA CLI

Leave a Reply

Your email address will not be published. Required fields are marked *