Cisco ASA 5505 Configuration Manual page 1595

Chapter 70 Monitoring VPN
–
–
–
–
–
–
The posture token is an informational text string which is configurable on the Access Control Server.
The ACS downloads the posture token to the adaptive security appliance for informational purposes
to aid in system monitoring, reporting, debugging, and logging. The typical posture token that
follows the NAC result is as follows: Healthy, Checkup, Quarantine, Infected, or Unknown.
The Details tab in the Session Details panepane displays the following columns:
ID—Unique ID dynamically assigned to the session. The ID serves as the adaptive security
•
appliance index to the session. It uses this index to maintain and display information about the
session.
Type—Type of session: IKE, IPSec, or NAC.
•
Local Addr., Subnet Mask, Protocol, Port, Remote Addr., Subnet Mask, Protocol, and
•
Port—Addresses and ports assigned to both the actual (Local) peer and those assigned to this peer
for the purpose of external routing.
Encryption—Data encryption algorithm this session is using, if any.
•
Assigned IP Address and Public IP Address—Shows the private IP address assigned to the remote
•
peer for this session. Also called the inner or virtual IP address, the assigned IP address lets the
remote peer appear to be on the private network. The second field shows the public IP address of the
remote computer for this session. Also called the outer IP address, the public IP address is typically
assigned to the remote computer by the ISP. It lets the remote computer function as a host on the
public network.
Other—Miscellaneous attributes associated with the session.
•
The following attributes apply to an IKE session:
The following attributes apply to an IPSec session:
The following attributes apply to a NAC session:
–
–
–
–
–
OL-20339-01
Rejected—The ACS could not successfully validate the posture of the remote host.
Exempted—The remote host is exempt from posture validation according to the Posture
Validation Exception list configured on the adaptive security appliance.
Non-Responsive—The remote host did not respond to the EAPoUDP Hello message.
Hold-off—The adaptive security appliance lost EAPoUDP communication with the remote host
after successful posture validation.
N/A—NAC is disabled for the remote host according to the VPN NAC group policy.
Unknown—Posture validation is in progress.
Revalidation Time Interval— Interval in seconds required between each successful posture
validation.
Time Until Next Revalidation—0 if the last posture validation attempt was unsuccessful.
Otherwise, the difference between the Revalidation Time Interval and the number of seconds
since the last successful posture validation.
Status Query Time Interval—Time in seconds allowed between each successful posture
validation or status query response and the next status query response. A status query is a
request made by the adaptive security appliance to the remote host to indicate whether the host
has experienced any changes in posture since the last posture validation.
EAPoUDP Session Age—Number of seconds since the last successful posture validation.
Hold-Off Time Remaining—0 seconds if the last posture validation was successful. Otherwise,
the number of seconds remaining before the next posture validation attempt.
Cisco ASA 5500 Series Configuration Guide using ASDM
VPN Statistics
70-7