Cisco ASA vpn-sessiondb detail l2l breaking on IPsec protocol

[ppisnjak]

ISSUE TYPE

• Template Issue with error and raw data

TEMPLATE USING

Value Filldown,Required SESSION_TYPE (\S+)
Value Filldown CONNECTION (\S+)
Value Filldown INDEX (\d+)
Value Filldown IP_ADDRESS (\d+\.\d+\.\d+\.\d+)
Value Filldown PROTOCOL (.+?)
Value Filldown ENCRYPTION (.+?)
Value Filldown HASHING (.+?)
Value Filldown TOTAL_BYTES_TRANSMITTED (\d+)
Value Filldown TOTAL_BYTES_RECEIVED (\d+)
Value Filldown LOGIN_TIME (\d+:\d+:\d+)
Value Filldown LOGIN_TIME_ZONE (\S+)
Value Filldown LOGIN_WEEKDAY (\w+)
Value Filldown LOGIN_MONTH (\w+)
Value Filldown LOGIN_DAY (\d+)
Value Filldown LOGIN_YEAR (\d+)
Value Filldown DURATION (.+?)
Value Filldown FILTER_NAME (.*?)
Value Filldown TOTAL_IKE_SESSIONS (\d+)
Value Filldown TOTAL_IPSEC_SESSIONS (\d+)
Value CONNECTION_TYPE (\S+)
Value SESSION_ID (\d+)
Value UDP_SRC_PORT (\d+)
Value UDP_DST_PORT (\d+)
Value NEGOTIAION_MODE (\w+)
Value AUTHENTICATION_MODE (\w+)
Value REMOTE_AUTHENTICATION_MODE (\S+|)
Value LOCAL_AUTHENTICATION_MODE (\S+|)
Value ENCRYPTION_METHOD (\S+)
Value HASH_METHOD (\w+)
Value REKEY_INTERVAL (\d+)
Value REKEY_INTERVAL_UNIT (\S+)
Value REKEY_TIME_LEFT (\d+)
Value REKEY_TIME_LEFT_UNIT (\S+)
Value REKEY_DATA_INTERVAL (\d+)
Value REKEY_DATA_INTERVAL_UNIT (\S+)
Value REKEY_DATA_REMAINING (\d+)
Value REKEY_DATA_REMAINING_UNIT (\S+)
Value IDLE_TIMEOUT_INTERVAL (\d+)
Value IDLE_TIMEOUT_INTERVAL_UNIT (\S+)
Value IDLE_TIMEOUT_REMAINING (\d+)
Value IDLE_TIMEOUT_REMAINING_UNIT (\S+)
Value PRF (\S+)
Value DH_GROUP (\d+)
Value IPV6_FILTER_NAME (.*?)
Value LOCAL_ADDRESS_NETWORK (\d+\.\d+\.\d+\.\d+)
Value LOCAL_ADDRESS_MASK (\d+\.\d+\.\d+\.\d+)
Value REMOTE_ADDRESS_NETWORK (\d+\.\d+\.\d+\.\d+)
Value REMOTE_ADDRESS_MASK (\d+\.\d+\.\d+\.\d+)
Value ENCAPSULATION (\w+)
Value PFS_GROUP (\d+)
Value BYTES_TRANSMITTED (\d+)
Value BYTES_RECEIVED (\d+)
Value PACKETS_TRANSMITTED (\d+)
Value PACKETS_RECEIVED (\d+)
Value REVAL_TIMEOUT (\d+)
Value REVAL_TIMOUT_UNIT (\S+)
Value REVAL_TIMEOUT_REMAINING (\d+)
Value REVAL_TIMEOUT_REMAINING_UNIT (\S+)
Value STATUS_QUERY_INTERVAL (\S+)
Value STATUS_QUERY_INTERVAL_UNIT (\S+)
Value EAP_OVER_UDP_TIMER (\d+)
Value EAP_OVER_UDP_TIMER_UNIT (\S+)
Value POSTURE_HOLDTIME_REMAINING (\d+)
Value POSTURE_HOLDTIME_REMAINING_UNIT (\S+)
Value POSTURE_TOKEN (.*?)
Value REDIRECT_URL (.*?)


Start
  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
  ^\s*$$
  ^. -> Error

Connection
  ^\s*Connection\s*:\s+${CONNECTION}\s*$$
  ^\s*Index\s*:\s+${INDEX}\s+IP\s+Addr\s*:\s+${IP_ADDRESS}\s*$$
  ^\s*Protocol\s*:\s+${PROTOCOL}(?:\s+Encryption\s*:\s+${ENCRYPTION}|)\s*$$
  ^\s*Encryption\s*:\s+${ENCRYPTION}\s+Hashing\s*:\s+${HASHING}\s*$$
  ^\s*Encryption\s*:\s+${ENCRYPTION}\s*$$
  ^\s*Hashing\s*:\s+${HASHING}\s*$$
  ^\s*Bytes\s+Tx\s*:\s+${TOTAL_BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${TOTAL_BYTES_RECEIVED}\s*$$
  ^\s*Login\s+Time\s*:\s+${LOGIN_TIME}\s+${LOGIN_TIME_ZONE}\s+${LOGIN_WEEKDAY}\s+${LOGIN_MONTH}\s+${LOGIN_DAY}\s+${LOGIN_YEAR}\s*$$
  ^\s*Duration\s*:\s+${DURATION}\s*$$
  ^\s*Filter\s+Name\s*:\s*${FILTER_NAME}\s*$$
  ^\s*IKE(?:[Vv]\d|)\s+Sessions:\s+${TOTAL_IKE_SESSIONS}\s+IPSec\s+Sessions:\s+${TOTAL_IPSEC_SESSIONS}\s*$$
  ^\s*IKE(?:[Vv]\d|)\s+Tunnels:\s*${TOTAL_IKE_SESSIONS}\s*$$
  ^\s*IP[Ss]ec\s+Tunnels:\s*${TOTAL_IPSEC_SESSIONS}\s*$$
  ^\s*IP[Ss]ecOverNatT\s+Tunnels:\s*${TOTAL_IPSEC_SESSIONS}\s*$$
  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
  ^\s*IKE(?:[Vv]\d|): -> IKE
  ^\s*IP[Ss]ec: -> IPSec
  ^\s*NAC: -> NAC
  ^\s*Connection\s*: -> Continue.Record
  ^\s*Connection\s*:\s+${CONNECTION}\s*$$
  ^Session\s+Type -> Continue.Record
  ^Session\s+Type -> Continue.Clearall
  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$
  ^\s*$$
  ^. -> Error

IKE
  ^\s*(Session|Tunnel)\s+ID\s*:\s+(?:\d+\.|)${SESSION_ID}\s*$$
  ^\s*UDP\s+Src\s+Port\s*:\s+${UDP_SRC_PORT}\s+UDP\s+Dst\s+Port\s*:\s+${UDP_DST_PORT}\s*$$
  ^\s*Rem\s+Auth\s+Mode\s*:\s*${REMOTE_AUTHENTICATION_MODE}\s*$$
  ^\s*Loc\s+Auth\s+Mode\s*:\s*${LOCAL_AUTHENTICATION_MODE}\s*$$
  ^\s*IKE\s+Neg\s+Mode\s*:\s+${NEGOTIAION_MODE}\s+Auth\s+Mode\s*:\s+${AUTHENTICATION_MODE}\s*$$
  ^\s*Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}\s*$$
  ^\s*Encapsulation\s+:\s*${ENCAPSULATION}\s*$$
  ^\s*Rekey\s+Int\s+\([Tt]\):\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\([Tt]\):\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*$$
  ^\s*Rekey\s+Int\s+\([Dd]\):\s+${REKEY_DATA_INTERVAL}\s+${REKEY_DATA_INTERVAL_UNIT}\s+Rekey\s+Left\([Dd]+\):\s+${REKEY_DATA_REMAINING}\s+${REKEY_DATA_REMAINING_UNIT}\s*$$
  ^\s*(?:PRF\s*:\s+${PRF}\s+|)D\/H\s+Group\s*:\s+${DH_GROUP}\s*$$
  ^\s*Filter\s+Name\s+:\s*${FILTER_NAME}\s*$$
  ^\s*IPv6\s+Filter\s+:\s*${IPV6_FILTER_NAME}\s*$$
  ^\s*\S+:\s*$$ -> Continue.Record
  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
  ^\s*IKE(?:[Vv]\d|): -> IKE
  ^\s*IP[Ss]ec(?:OverNatT|): -> IPSec
  ^\s*NAC: -> NAC
  ^\s*Connection\s*: -> Continue.Record
  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
  ^Session\s+Type -> Continue.Record
  ^Session\s+Type -> Continue.Clearall
  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
  ^\s*$$
  ^. -> Error

IPSec
  ^\s*(Session|Tunnel)\s+ID\s*:\s+(?:\d+\.|)${SESSION_ID}\s*$$
  ^\s*Local\s+Addr\s*:\s+${LOCAL_ADDRESS_NETWORK}\/${LOCAL_ADDRESS_MASK}
  ^\s*Remote\s+Addr\s*:\s+${REMOTE_ADDRESS_NETWORK}\/${REMOTE_ADDRESS_MASK}
  ^\s*Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}\s*$$
  ^\s*Encapsulation\s*:\s+${ENCAPSULATION}(?:\s+PFS\s+Group\s*:\s+${PFS_GROUP}|)\s*$$
  ^\s*Rekey\s+Int\s+\([Tt]\):\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\([Tt]\):\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*$$
  ^\s*Rekey\s+Int\s+\([Dd]\):\s+${REKEY_DATA_INTERVAL}\s+${REKEY_DATA_INTERVAL_UNIT}\s+Rekey\s+Left\([Dd]+\):\s+${REKEY_DATA_REMAINING}\s+${REKEY_DATA_REMAINING_UNIT}\s*$$
  ^\s*Idle\s+Time\s+Out\s*:\s+${IDLE_TIMEOUT_INTERVAL}\s+${IDLE_TIMEOUT_INTERVAL_UNIT}\s+Idle\s+TO\s+Left\s*:\s+${IDLE_TIMEOUT_REMAINING}\s+${IDLE_TIMEOUT_REMAINING_UNIT}\s*$$             
  ^\s*Bytes\s+Tx\s*:\s+${BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${BYTES_RECEIVED}\s*$$
  ^\s*Pkts\s+Tx\s*:\s+${PACKETS_TRANSMITTED}\s+Pkts\s+Rx\s*:\s+${PACKETS_RECEIVED}\s*$$
  ^\s*\S+:\s*$$ -> Continue.Record
  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
  ^\s*IKE(?:[Vv]\d|): -> IKE
  ^\s*IP[Ss]ec(?:OverNatT|): -> IPSec
  ^\s*NAC: -> NAC
  ^\s*Connection\s*: -> Continue.Record
  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
  ^Session\s+Type -> Continue.Record
  ^Session\s+Type -> Continue.Clearall
  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
  ^\s*$$
  ^. -> Error

NAC
  ^\s*Reval\s+Int\s+\(\w\)\s*:\s+${REVAL_TIMEOUT}\s+${REVAL_TIMOUT_UNIT}\s+Reval\s+Left\s*\(\w\)\s*:\s+${REVAL_TIMEOUT_REMAINING}\s+${REVAL_TIMEOUT_REMAINING_UNIT}\s*$$
  ^\s*SQ\s+Int\s+\(\w\)\s*:\s+${STATUS_QUERY_INTERVAL}\s+${STATUS_QUERY_INTERVAL_UNIT}\s+EoU\s+Age\(\w\)\s*:\s+${EAP_OVER_UDP_TIMER}\s+${EAP_OVER_UDP_TIMER_UNIT}\s*$$
  ^\s*Hold\s+Left\s+\(\w\)\s*:\s+${POSTURE_HOLDTIME_REMAINING}\s+${POSTURE_HOLDTIME_REMAINING_UNIT}\s+Posture\s+Token\s*:\s*${POSTURE_TOKEN}\s*$$
  ^\s*Redirect\s+URL\s*:\s*${REDIRECT_URL}\s*$$
  ^\s*\S+:\s*$$ -> Continue.Record
  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
  ^\s*IKE(?:[Vv]\d|): -> IKE
  ^\s*IP[Ss]ec(?:OverNatT|): -> IPSec
  ^\s*NAC: -> NAC
  ^\s*Connection\s*: -> Continue.Record
  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
  ^Session\s+Type -> Continue.Record
  ^Session\s+Type -> Continue.Clearall
  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
  ^\s*$$
  ^. -> Error

SAMPLE COMMAND OUTPUT

Session Type: LAN-to-LAN Detailed

Connection   :
Index        : 868418                 IP Addr      : 1.1.6.171
Protocol     : IPsec
Encryption   : IPsec: (7)AES256       Hashing      : IPsec: (7)SHA1
Bytes Tx     : 115300336247           Bytes Rx     : 1834527839208
Login Time   : 18:08:26 GMT Fri Sep 20 2024
Duration     : 75d 19h:30m:22s

IPsec Tunnels: 7

IPsec:
  Tunnel ID    : 868418.1
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.35.0/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 2317 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 0 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 41095150079            Bytes Rx     : 366446414037
  Pkts Tx      : 254202973              Pkts Rx      : 355730489

IPsec:
  Tunnel ID    : 868418.2
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.35.16/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 15942 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 0 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 54686717877            Bytes Rx     : 1434452439497
  Pkts Tx      : 531289498              Pkts Rx      : 1154081904

IPsec:
  Tunnel ID    : 868418.3
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.35.32/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 7834 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 0 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 19515989153            Bytes Rx     : 33628551468
  Pkts Tx      : 90090421               Pkts Rx      : 78341377

IPsec:
  Tunnel ID    : 868418.2684
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.58.48/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28609 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 0
  Pkts Tx      : 0                      Pkts Rx      : 0

IPsec:
  Tunnel ID    : 868418.2685
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.58.32/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28609 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 0
  Pkts Tx      : 0                      Pkts Rx      : 0

IPsec:
  Tunnel ID    : 868418.2686
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.58.16/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28610 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 0
  Pkts Tx      : 0                      Pkts Rx      : 0

IPsec:
  Tunnel ID    : 868418.2687
  Local Addr   : 2.2.74.78/255.255.255.255/0/0
  Remote Addr  : 10.14.58.0/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28610 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 0
  Pkts Tx      : 0                      Pkts Rx      : 0

SUMMARY

It seems that sometimes ASA returns Connection : without any/IP value. Not sure if this is ASA bug? The value missing is still in IP Addr : field though, so ideally if template can just skip such occurences. VPN is working. Also output shows 7 IPsec Tunnels, no IKE.

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

Getting following output from parser:

textfsm.parser.TextFSMError: State Error raised. Rule Line: 149. Input Line: Connection   :