Cisco AnyConnect SWG: How to enable the max debug logging

Overview

This guide explains the steps to enable the max debug logging on the Cisco AnyConnect SWG module.  It's useful to understand the details of each step performed by the SWG module when debugging issues like:

* Issue with Hotspots via Captive Portal 

* External Domain Bypass List is not taking effect

* Intermittent DNS or Web performance issue

Steps to enable max debug logging on Windows & MAC OS

By default, the max debug logging is not enabled.  It is also NOT configurable via the Umbrella dashboard or ASA. To enable it, we need to manually add "logLevel": "1" to the "orgConfig" object of SWGConfig.json. 

Location of SWGConfig.json

Windows(AnyConnect): C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\SWG\
Windows(Secure Client): C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\SWG\

MacOS(AnyConnect): /opt/cisco/anyconnect/umbrella/swg/
MacOS(Secure Client): /opt/cisco/secureclient/umbrella/swg

However the modified SWGConfig.json file will only last for a short period of time till the next API sync is performed by the Cisco AnyConnect Umbrella module. In order to make this max debug logging configuration persistent without being overwritten by the API sync, we can deploy swg_org_config.flag file in the umbrella/data folder.  Here are the steps:

1. Create a new file named "swg_org_config.flag" in the umbrella data folder. The file extension must to be in .flag extension.

Windows(AnyConnect): C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data\swg_org_config.flag
Windows(Secure Client): C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data\swg_org_config.flag

MacOS(AnyConnect): /opt/cisco/anyconnect/umbrella/data/swg_org_config.flag
MacOS(Secure Client): /opt/cisco/secureclient/umbrella/data/swg_org_config.flag

2. Copy the contents of the "orgConfig" object from the SWGConfig.json file to the "swg_org_config.flag" file and then append with  "logLevel": "1". For example:

{ "exceptionList": [ "www.example.com", "smh.com.au", "*.smh.com.au", "www.blue.com", "*.www.blue.com", "146.112.133.72", "146.112.133.73", "146.112.133.76", "146.112.193.40", "146.112.193.41", "146.112.193.85", "146.112.193.87", "146.112.193.88", "146.112.194.36", "146.112.194.37", "146.112.194.38", "146.112.194.39", "146.112.194.75", "146.112.194.77", "146.112.194.78", "146.112.194.80", "146.112.194.82", "146.112.194.83", "146.112.195.42", "146.112.195.43", "146.112.195.90", "146.112.195.92", "146.112.195.93", "146.112.196.36", "146.112.196.37", "146.112.196.75", "146.112.196.77", "146.112.196.78", "146.112.198.40", "146.112.198.41", "146.112.198.85", "146.112.198.87", "146.112.198.88", "146.112.200.40", "146.112.200.41", "146.112.200.85", "146.112.200.87", "146.112.200.88", "146.112.201.36", "146.112.201.37", "146.112.201.38", "146.112.201.39", "146.112.201.75", "146.112.201.77", "146.112.201.78", "146.112.201.80", "146.112.201.82", "146.112.201.83", "146.112.203.36", "146.112.203.37", "146.112.203.75", "146.112.203.77", "146.112.203.78", "146.112.211.32", "146.112.211.33", "146.112.211.34", "146.112.211.35", "146.112.211.36", "146.112.211.37", "146.112.211.64", "146.112.211.66", "146.112.211.67", "146.112.211.68", "146.112.211.70", "146.112.211.71", "146.112.211.72", "146.112.211.74", "146.112.211.75", "146.112.61.0/24", "204.194.237.151", "204.194.237.152", "204.194.237.154", "204.194.237.155", "204.194.237.156", "204.194.237.157", "204.194.237.159", "204.194.237.160", "204.194.237.161", "204.194.237.162", "204.194.237.164", "204.194.237.165", "204.194.237.166", "204.194.237.167", "204.194.237.169", "204.194.237.170", "204.194.237.249", "204.194.237.25", "204.194.237.250", "204.194.237.251", "204.194.237.252", "204.194.237.26", "204.194.237.29", "204.194.237.30", "204.194.237.34", "204.194.238.12", "204.194.238.136", "204.194.238.137", "204.194.238.139", "204.194.238.140", "204.194.238.141", "204.194.238.142", "204.194.238.144", "204.194.238.145", "204.194.238.146", "204.194.238.147", "204.194.238.149", "204.194.238.150", "204.194.238.151", "204.194.238.152", "204.194.238.154", "204.194.238.155", "204.194.238.156", "204.194.238.157", "204.194.238.159", "204.194.238.16", "204.194.238.160", "204.194.238.20", "204.194.238.236", "204.194.238.237", "204.194.238.248", "204.194.238.249", "204.194.238.25", "204.194.238.250", "204.194.238.26", "204.194.238.29", "204.194.239.141", "204.194.239.142", "204.194.239.144", "204.194.239.145", "204.194.239.146", "204.194.239.147", "204.194.239.149", "204.194.239.150", "204.194.239.151", "204.194.239.152", "204.194.239.154", "204.194.239.155", "204.194.239.156", "204.194.239.157", "204.194.239.159", "204.194.239.16", "204.194.239.160", "204.194.239.20", "204.194.239.249", "204.194.239.25", "204.194.239.250", "204.194.239.251", "204.194.239.252", "204.194.239.26", "204.194.239.29", "208.67.216.151", "208.67.216.152", "208.67.216.154", "208.67.216.155", "208.67.216.156", "208.67.216.157", "208.67.216.159", "208.67.216.160", "208.67.216.25", "208.67.216.251", "208.67.216.252", "208.67.216.26", "208.67.216.29", "208.67.217.151", "208.67.217.152", "208.67.217.154", "208.67.217.155", "208.67.217.156", "208.67.217.157", "208.67.217.159", "208.67.217.160", "208.67.217.25", "208.67.217.251", "208.67.217.252", "208.67.217.26", "208.67.217.29", "208.67.217.30", "208.67.219.151", "208.67.219.152", "208.67.219.154", "208.67.219.155", "208.67.219.156", "208.67.219.157", "208.67.219.159", "208.67.219.160", "208.67.219.25", "208.67.219.251", "208.67.219.252", "208.67.219.26", "208.69.32.151", "208.69.32.152", "208.69.32.154", "208.69.32.155", "208.69.32.156", "208.69.32.157", "208.69.32.159", "208.69.32.160", "208.69.32.161", "208.69.32.162", "208.69.32.164", "208.69.32.165", "208.69.32.166", "208.69.32.167", "208.69.32.169", "208.69.32.170", "208.69.32.25", "208.69.32.250", "208.69.32.251", "208.69.32.252", "208.69.32.253", "208.69.32.26", "208.69.32.29", "208.69.32.30", "208.69.32.34", "208.69.33.151", "208.69.33.152", "208.69.33.154", "208.69.33.155", "208.69.33.156", "208.69.33.157", "208.69.33.159", "208.69.33.160", "208.69.33.25", "208.69.33.251", "208.69.33.252", "208.69.33.26", "208.69.33.29", "208.69.34.151", "208.69.34.152", "208.69.34.154", "208.69.34.155", "208.69.34.156", "208.69.34.157", "208.69.34.159", "208.69.34.160", "208.69.34.25", "208.69.34.251", "208.69.34.252", "208.69.34.26", "208.69.35.151", "208.69.35.152", "208.69.35.154", "208.69.35.155", "208.69.35.156", "208.69.35.157", "208.69.35.159", "208.69.35.160", "208.69.35.25", "208.69.35.251", "208.69.35.252", "208.69.35.26", "208.69.36.124", "208.69.36.125", "208.69.36.151", "208.69.36.152", "208.69.36.154", "208.69.36.155", "208.69.36.156", "208.69.36.157", "208.69.36.159", "208.69.36.160", "208.69.36.25", "208.69.36.26", "208.69.36.29", "208.69.36.30", "208.69.37.151", "208.69.37.152", "208.69.37.154", "208.69.37.155", "208.69.37.156", "208.69.37.157", "208.69.37.159", "208.69.37.160", "208.69.37.25", "208.69.37.251", "208.69.37.252", "208.69.37.26", "67.215.82.151", "67.215.82.152", "67.215.82.154", "67.215.82.155", "67.215.82.156", "67.215.82.157", "67.215.82.159", "67.215.82.160", "67.215.82.25", "67.215.82.251", "67.215.82.252", "67.215.82.26", "67.215.83.151", "67.215.83.152", "67.215.83.154", "67.215.83.155", "67.215.83.156", "67.215.83.157", "67.215.83.159", "67.215.83.160", "67.215.83.25", "67.215.83.251", "67.215.83.252", "67.215.83.26", "67.215.84.151", "67.215.84.152", "67.215.84.154", "67.215.84.155", "67.215.84.156", "67.215.84.157", "67.215.84.159", "67.215.84.160", "67.215.84.25", "67.215.84.251", "67.215.84.252", "67.215.84.26", "67.215.85.151", "67.215.85.152", "67.215.85.154", "67.215.85.155", "67.215.85.156", "67.215.85.157", "67.215.85.159", "67.215.85.160", "67.215.85.25", "67.215.85.251", "67.215.85.252", "67.215.85.26", "67.215.86.151", "67.215.86.152", "67.215.86.154", "67.215.86.155", "67.215.86.156", "67.215.86.157", "67.215.86.159", "67.215.86.160", "67.215.86.25", "67.215.86.251", "67.215.86.252", "67.215.86.26", "67.215.95.130", "67.215.95.131", "67.215.95.133", "67.215.95.146", "67.215.95.170", "67.215.95.171", "67.215.95.173", "67.215.95.186", "67.215.95.190", "67.215.95.191", "67.215.95.193", "67.215.95.194", "67.215.95.25", "67.215.95.26", "67.215.95.27", "67.215.70.40", "67.215.70.42", "67.215.70.126", "146.112.62.105", "67.215.92.0/23", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::/0", "208.67.220.220", "208.67.220.222", "208.67.222.220", "208.67.222.222", "ocsp.int-x3.letsencrypt.org", "isrg.trustid.ocsp.identrust.com", "*.opendns.com", "*.umbrella.com", "*.ultipro.com", "*.ultiproworkplace.com", "*.ultimatesoftware.com", "*.ultipro.ca", "*.ultiprotime.com", "*.ultiprorecruit.com", "*.ultipro-time-management.com" ], "failOpen": 1, "logLevel": "1", "swgAnycast": "146.112.255.50", "swgDomain": "swg-url-proxy-https.sigproxy.qq.opendns.com", "swgEchoService": "http://www.msftconnecttest.com/connecttest.txt" }

3. Restart Cisco AnyConnect Secure Mobility Agent/Secure Client service or reboot the machine.
 

Verification and provide max debug logs to Umbrella support

On Windows systems > Windows Event Viewer, if you see the similar log line below, which means Max Debug logging has been enabled successfully.

Example 1: 

BRIDGE | Thread 1d18 | Connection : Resolved IP from 'swg-url-proxy-https.sigproxy.qq.opendns.com' is 146.112.57.199

THREAD | Thread 1d18 | SetGUID '959bfe4d6fba87a65b433321c6748d761d9492cb'

Example 2: Any web request being proxied will be logged. Web request is bypassing AnyConnect SWG as per Internal / External Domain List will not be logged.

  LISTEN | Thread 1d18 | Connection : Hostnames from KDF are login.live.com

Tips: Use the PowerShell command below to convert max debug event logs (.evtx) into txt:

  C:> Get-WinEvent -Path C:\Desktop\Umbrella.evtx | Format-Table -AutoSize | Out-File C:\Desktop\Umbrella.txt -append -width 750

On Mac OSX, the debug logging can be viewed with this command (you can grep or write them in txt). Below is an example when a user browse purple.com while max debug logging is enabled:

AnyConnect

>log show --predicate 'subsystem contains "com.cisco.anyconnect.swg" || senderImagePath endswith "acswgagent"' --debug --info --last 2d | grep -i purple
2022-09-19 10:51:15.627229+1000 0x16b121   Default  0x0 98970  0  acswgagent: Connection : Hostnames from KDF are purple.com.

The max debug logging will be included in the Cisco AnyConnect DART Bundle. Once you have verified max debug logging is enabled successfully, please recreate the issue, record the timestamp/experience/domain in question and send them along with the Cisco AnyConnect DART Bundle 

Additional:

Since the max debug logging will generate verbose logs, please make sure the appropriate size of the Umbrella Roaming Security Module log has been configured in the Windows event viewer, especially troubleshooting the intermittent issue.

Delete or rename the swg_org_config.flag file to disable the max debug logging once troubleshooting has been completed so it doesn’t continue to generate the verbose logs.  

Notes

1. The configuration of SWGConfig.json file is case sensitive, it has to be "logLevel": "1" 
   The value of "logLevel" is a string 1 instead of an integer, therefore it has to be "1" with double quotes.
2.  The file extension of "swg_org_config.flag" has to be .flag, make sure it is not a .txt file
3. The max debug logging will generate sophisticated logs, please only enable it while requested by the Umbrella Support engineer.
4. "swg_org_config.flag" contains a list of static bypassed domains and it will not sync with External Domain listed on Dashboard > Domain Management