cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

ASA Remote Access VPN State:Connected showing user connected since 9 months

Jump to solution

Hello experts,

My ASA remote access VPN showing wrong data in State: connected. It only shows at the moment 15 but the actual connections are 90. It also shows that the user is connected for the last 9 months that is totally wrong and it looks like it hangs or connected forever.

can anyone explain, why it happened? (please see attached screenshot)

Thanks in advance.

 

0 Kudos
1 Solution
Level 16

I would agree with @rschroeder  probably someone that never disconnects. Could be a remote office that never turns off the equipment.

If you create a report with the Swql below it will show who is connected and when they connected/disconnected, how much data they consumed. May be helpful. 

SELECT [data].[OrionNode].[DisplayName] AS [DisplayName],[data].[RemoteAccessSessions].[UserName] AS [UserName],toLocal([data].[RemoteAccessSessions].[ConnectedTime]) AS [ConnectedTime],toLocal([data].[RemoteAccessSessions].[DisconnectedTime]) AS [DisconnectedTime],[data].[RemoteAccessSessions].[InTotalBytes] AS [InTotalBytes],[data].[RemoteAccessSessions].[OutTotalBytes] AS [OutTotalBytes],[data].[RemoteAccessSessions].[RasProtocol] AS [RasProtocol],[data].[RemoteAccessSessions].[ClientInfo] AS [ClientInfo],[data].[InstanceSiteId] AS [InstanceSiteId] FROM orion.asa.node AS data

View solution in original post

8 Replies
Level 16

I would agree with @rschroeder  probably someone that never disconnects. Could be a remote office that never turns off the equipment.

If you create a report with the Swql below it will show who is connected and when they connected/disconnected, how much data they consumed. May be helpful. 

SELECT [data].[OrionNode].[DisplayName] AS [DisplayName],[data].[RemoteAccessSessions].[UserName] AS [UserName],toLocal([data].[RemoteAccessSessions].[ConnectedTime]) AS [ConnectedTime],toLocal([data].[RemoteAccessSessions].[DisconnectedTime]) AS [DisconnectedTime],[data].[RemoteAccessSessions].[InTotalBytes] AS [InTotalBytes],[data].[RemoteAccessSessions].[OutTotalBytes] AS [OutTotalBytes],[data].[RemoteAccessSessions].[RasProtocol] AS [RasProtocol],[data].[RemoteAccessSessions].[ClientInfo] AS [ClientInfo],[data].[InstanceSiteId] AS [InstanceSiteId] FROM orion.asa.node AS data

View solution in original post

That's a beautiful query, @bobmarley .  Thank you for sharing it!

Rick Schroeder

I like your query, and would love advice for filtering out the reported devices. I have 100+ ASA's, but only two in which AnyConnect is supported. Can you help me adjust the query so only information from these two ASA's is displayed?
0 Kudos
Level 16

Add this to the end of Marc's query. You can use partial names since the % wildcard is there. If you have more than one node you can also do OR LIKE and add them on to the end

 

and DisplayName LIKE '%YOURNODENAMEHERE%'

0 Kudos
This may work for you

SELECT [data].[OrionNode].[DisplayName] AS [DisplayName],[data].[RemoteAccessSessions].[UserName] AS [UserName],toLocal([data].[RemoteAccessSessions].[ConnectedTime]) AS [ConnectedTime],toLocal([data].[RemoteAccessSessions].[DisconnectedTime]) AS [DisconnectedTime],[data].[RemoteAccessSessions].[InTotalBytes] AS [InTotalBytes],[data].[RemoteAccessSessions].[OutTotalBytes] AS [OutTotalBytes],[data].[RemoteAccessSessions].[RasProtocol] AS [RasProtocol],[data].[RemoteAccessSessions].[ClientInfo] AS [ClientInfo],[data].[InstanceSiteId] AS [InstanceSiteId] FROM orion.asa.node AS data
where [data].[RemoteAccessSessions].[UserName] is not null
- Marc Netterfield, Github
That did it--thank you!

Rick
0 Kudos

Depending on your AnyConnect or other VPN connection configuration, as well as group policies applied (or NOT applied) to the device, it's possible for a client to stay connected many months.  Keep-alives and time-outs, improperly implemented, can keep a tunnel up for as long as power and physical connectivity remain.

Any time I see a user connected for more than seven days I reach out to the teams supporting that user and their remote device(s), asking whether it's imperative for that user to always be connected.  Up until COVID-19, it was never necessary.  But not that we're moving to AOVPN for its simplicity, devices will remain always attached as long as they have power and network connectivity.

But that connectivity no longer terminates on our ASA's, so it's a different type of thing for monitoring.

Could these ideas explain why one or more users are reported as having been connected for a seemingly unusually long time?

 

Any chance that the ASA poller stopped working on that node for some reason and it's showing stale data? I recently had a vaguely similar situation because someone had forgot to update the ASA service account on some of our nodes after the password got rotated.
- Marc Netterfield, Github