At the peak of Snowmageddon and Icemageddon this week our remote-access VPN resources were getting some major exercise. Our office was even closed for a day, something that doesn’t happen often. Our 100 simultaneous AnyConnect SSL VPN licenses on our Cisco ASA were being used up by 9am 3 days in a row, preventing many people from getting connected. I’ve mentioned in a previous post about our secondary process, where we have users download and install the IPSEC VPN client. But for those that know the products, that’s not as convenient as AnyConnect.
- How many people had problems connecting to the VPN?
- How many times were individual users failing to connect due to our license limit?
After some digging I was able to find the perfect ASA log entry:
In the “Example values” box I typed the two sample userIDs and clicked Generate, but in this particular case Splunk failed to generate a regex. So, I was forced to come up with one on my own.
After messing around with a free tool called RegExr, and after much wailing and gnashing of teeth, I was able to come up with a regular expression to extract the proper field:
Clicking on the “AnyConnectUser” field shows a list of the top 10 hits, including the number of occurrences for each. (Note that I’ve obfuscated many of the usernames for security). But at this point we still don’t know how many users had problems connecting (we just know it’s more than 100). So we use some more Splunk magic–generate a report based on the search.
Clicking on “top values overall” brings up the report generation wizard.
After creating and saving the report, we can now get to it anytime from the main Search screen under the “Searches & Reports” drop-down menu:
Here’s the finished product:
After scrolling down we can see a table of the raw data:
We can then go to the last page of the table, scroll to the bottom, and see the total number of users that had at least one failure connecting to the VPN:
We had 194 users experience VPN connection problems due to our existing license limit.