Guest

Preview Tool

Cisco Bug: CSCtd60453 - Need syslog message, if split-tunnel ACL from Radius does not exist

Last Modified

Dec 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(5) 8.2(1) 8.2(1.11)

Description (partial)

Symptom:
This is an enhancement request to have the ASA generate a level 3 syslog message, whenever the Split Tunnel ACL assigned via Radius does not exist on the ASA.

At the moment the connection attempt (e.g. via AnyConnect)  just fails in the case, with the ASA reporting the following "Reset-I" message:

---snip---
%ASA-6-302014: Teardown TCP connection 435 for outside:<client_ip>/<client_port> to identity:<asa_ip>/443 duration 0:00:10 bytes 27255 TCP Reset-I
---snip---

Conditions:
1. ASA running any software version before the implementation of this feature with Remote Access VPN configured
2. Remote Access VPN users are authenticated against a Radius server
3. The Radius server returns the "IPSec-Split-Tunnel-List" attribute for this user
4. The "IPSec-Split-Tunnel-List" the Radius server returns does not exist on the ASA
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.