Cisco AnyConnect SWG: How to enable the max debug logging.

Overview

 This guide explains the steps to enable the max debug logging of the Cisco AnyConnect SWG module.  It's useful to enable max debug logging of the AnyConnect SWG module to fully understand the details of each step performed by the SWG module when troubleshooting issues like website access issue or which connection is getting intercepted etc.

Steps

By default, the max debug logging is not enabled.  It is also configurable via the Umbrella dashboard or ASA side. To enable this, need to manually add "logLevel":"1" to the "orgConfig" object of SWGConfig.json. 

Location of SWGConfig.json

On Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\SWG\

On MacOS: /opt/cisco/anyconnect/umbrella/swg/

However the modified SWGConfig.json file will only last for around 1 hour till the next API sync performed by the Cisco AnyConnect Umbrella module. In order to make this max debug logging configuration persistent without been overwritten by the API sync, we use a swg_org_config.flag file in the umbrella/data folder.  Here are the steps:

1. Create a new file named "swg_org_config.flag" in the umbrella data folder. The file extension has to be .flag.

On Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data\

On MacOS: /opt/cisco/anyconnect/umbrella/data/

2. Copy the contents of the "orgConfig" object from the SWGConfig.json file to the "swg_org_config.flag" file and then append with  "logLevel":"1". For example:

{ "exceptionList": [ "www.example.com", "smh.com.au", "*.smh.com.au", "www.blue.com", "*.www.blue.com", "146.112.133.72", "146.112.133.73", "146.112.133.76", "146.112.193.40", "146.112.193.41", "146.112.193.85", "146.112.193.87", "146.112.193.88", "146.112.194.36", "146.112.194.37", "146.112.194.38", "146.112.194.39", "146.112.194.75", "146.112.194.77", "146.112.194.78", "146.112.194.80", "146.112.194.82", "146.112.194.83", "146.112.195.42", "146.112.195.43", "146.112.195.90", "146.112.195.92", "146.112.195.93", "146.112.196.36", "146.112.196.37", "146.112.196.75", "146.112.196.77", "146.112.196.78", "146.112.198.40", "146.112.198.41", "146.112.198.85", "146.112.198.87", "146.112.198.88", "146.112.200.40", "146.112.200.41", "146.112.200.85", "146.112.200.87", "146.112.200.88", "146.112.201.36", "146.112.201.37", "146.112.201.38", "146.112.201.39", "146.112.201.75", "146.112.201.77", "146.112.201.78", "146.112.201.80", "146.112.201.82", "146.112.201.83", "146.112.203.36", "146.112.203.37", "146.112.203.75", "146.112.203.77", "146.112.203.78", "146.112.211.32", "146.112.211.33", "146.112.211.34", "146.112.211.35", "146.112.211.36", "146.112.211.37", "146.112.211.64", "146.112.211.66", "146.112.211.67", "146.112.211.68", "146.112.211.70", "146.112.211.71", "146.112.211.72", "146.112.211.74", "146.112.211.75", "146.112.61.0/24", "204.194.237.151", "204.194.237.152", "204.194.237.154", "204.194.237.155", "204.194.237.156", "204.194.237.157", "204.194.237.159", "204.194.237.160", "204.194.237.161", "204.194.237.162", "204.194.237.164", "204.194.237.165", "204.194.237.166", "204.194.237.167", "204.194.237.169", "204.194.237.170", "204.194.237.249", "204.194.237.25", "204.194.237.250", "204.194.237.251", "204.194.237.252", "204.194.237.26", "204.194.237.29", "204.194.237.30", "204.194.237.34", "204.194.238.12", "204.194.238.136", "204.194.238.137", "204.194.238.139", "204.194.238.140", "204.194.238.141", "204.194.238.142", "204.194.238.144", "204.194.238.145", "204.194.238.146", "204.194.238.147", "204.194.238.149", "204.194.238.150", "204.194.238.151", "204.194.238.152", "204.194.238.154", "204.194.238.155", "204.194.238.156", "204.194.238.157", "204.194.238.159", "204.194.238.16", "204.194.238.160", "204.194.238.20", "204.194.238.236", "204.194.238.237", "204.194.238.248", "204.194.238.249", "204.194.238.25", "204.194.238.250", "204.194.238.26", "204.194.238.29", "204.194.239.141", "204.194.239.142", "204.194.239.144", "204.194.239.145", "204.194.239.146", "204.194.239.147", "204.194.239.149", "204.194.239.150", "204.194.239.151", "204.194.239.152", "204.194.239.154", "204.194.239.155", "204.194.239.156", "204.194.239.157", "204.194.239.159", "204.194.239.16", "204.194.239.160", "204.194.239.20", "204.194.239.249", "204.194.239.25", "204.194.239.250", "204.194.239.251", "204.194.239.252", "204.194.239.26", "204.194.239.29", "208.67.216.151", "208.67.216.152", "208.67.216.154", "208.67.216.155", "208.67.216.156", "208.67.216.157", "208.67.216.159", "208.67.216.160", "208.67.216.25", "208.67.216.251", "208.67.216.252", "208.67.216.26", "208.67.216.29", "208.67.217.151", "208.67.217.152", "208.67.217.154", "208.67.217.155", "208.67.217.156", "208.67.217.157", "208.67.217.159", "208.67.217.160", "208.67.217.25", "208.67.217.251", "208.67.217.252", "208.67.217.26", "208.67.217.29", "208.67.217.30", "208.67.219.151", "208.67.219.152", "208.67.219.154", "208.67.219.155", "208.67.219.156", "208.67.219.157", "208.67.219.159", "208.67.219.160", "208.67.219.25", "208.67.219.251", "208.67.219.252", "208.67.219.26", "208.69.32.151", "208.69.32.152", "208.69.32.154", "208.69.32.155", "208.69.32.156", "208.69.32.157", "208.69.32.159", "208.69.32.160", "208.69.32.161", "208.69.32.162", "208.69.32.164", "208.69.32.165", "208.69.32.166", "208.69.32.167", "208.69.32.169", "208.69.32.170", "208.69.32.25", "208.69.32.250", "208.69.32.251", "208.69.32.252", "208.69.32.253", "208.69.32.26", "208.69.32.29", "208.69.32.30", "208.69.32.34", "208.69.33.151", "208.69.33.152", "208.69.33.154", "208.69.33.155", "208.69.33.156", "208.69.33.157", "208.69.33.159", "208.69.33.160", "208.69.33.25", "208.69.33.251", "208.69.33.252", "208.69.33.26", "208.69.33.29", "208.69.34.151", "208.69.34.152", "208.69.34.154", "208.69.34.155", "208.69.34.156", "208.69.34.157", "208.69.34.159", "208.69.34.160", "208.69.34.25", "208.69.34.251", "208.69.34.252", "208.69.34.26", "208.69.35.151", "208.69.35.152", "208.69.35.154", "208.69.35.155", "208.69.35.156", "208.69.35.157", "208.69.35.159", "208.69.35.160", "208.69.35.25", "208.69.35.251", "208.69.35.252", "208.69.35.26", "208.69.36.124", "208.69.36.125", "208.69.36.151", "208.69.36.152", "208.69.36.154", "208.69.36.155", "208.69.36.156", "208.69.36.157", "208.69.36.159", "208.69.36.160", "208.69.36.25", "208.69.36.26", "208.69.36.29", "208.69.36.30", "208.69.37.151", "208.69.37.152", "208.69.37.154", "208.69.37.155", "208.69.37.156", "208.69.37.157", "208.69.37.159", "208.69.37.160", "208.69.37.25", "208.69.37.251", "208.69.37.252", "208.69.37.26", "67.215.82.151", "67.215.82.152", "67.215.82.154", "67.215.82.155", "67.215.82.156", "67.215.82.157", "67.215.82.159", "67.215.82.160", "67.215.82.25", "67.215.82.251", "67.215.82.252", "67.215.82.26", "67.215.83.151", "67.215.83.152", "67.215.83.154", "67.215.83.155", "67.215.83.156", "67.215.83.157", "67.215.83.159", "67.215.83.160", "67.215.83.25", "67.215.83.251", "67.215.83.252", "67.215.83.26", "67.215.84.151", "67.215.84.152", "67.215.84.154", "67.215.84.155", "67.215.84.156", "67.215.84.157", "67.215.84.159", "67.215.84.160", "67.215.84.25", "67.215.84.251", "67.215.84.252", "67.215.84.26", "67.215.85.151", "67.215.85.152", "67.215.85.154", "67.215.85.155", "67.215.85.156", "67.215.85.157", "67.215.85.159", "67.215.85.160", "67.215.85.25", "67.215.85.251", "67.215.85.252", "67.215.85.26", "67.215.86.151", "67.215.86.152", "67.215.86.154", "67.215.86.155", "67.215.86.156", "67.215.86.157", "67.215.86.159", "67.215.86.160", "67.215.86.25", "67.215.86.251", "67.215.86.252", "67.215.86.26", "67.215.95.130", "67.215.95.131", "67.215.95.133", "67.215.95.146", "67.215.95.170", "67.215.95.171", "67.215.95.173", "67.215.95.186", "67.215.95.190", "67.215.95.191", "67.215.95.193", "67.215.95.194", "67.215.95.25", "67.215.95.26", "67.215.95.27", "67.215.70.40", "67.215.70.42", "67.215.70.126", "146.112.62.105", "67.215.92.0/23", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::/0", "208.67.220.220", "208.67.220.222", "208.67.222.220", "208.67.222.222", "ocsp.int-x3.letsencrypt.org", "isrg.trustid.ocsp.identrust.com", "*.opendns.com", "*.umbrella.com", "*.ultipro.com", "*.ultiproworkplace.com", "*.ultimatesoftware.com", "*.ultipro.ca", "*.ultiprotime.com", "*.ultiprorecruit.com", "*.ultipro-time-management.com" ], "failOpen": 1, "logLevel":"1"}

3. The "logLevel":"1" will be added to the SWGConfig.json file automatically after the next API sync.

4. Detailed logging of each step of the AnyConnect SWG module will be logged in the Cisco AnyConnect Umbrella Roaming Security Module log which can be viewed via the Windows Event Viewer. For example

BRIDGE | Thread 1d18 | Connection : Resolved IP from 'swg-url-proxy-https.sigproxy.qq.opendns.com' is 146.112.57.199

THREAD | Thread 1d18 | SetGUID '959bfe4d6fba87a65b433321c6748d761d9492cb'

LISTEN | Thread 1d18 | Connection : Hostnames from KDF are login.live.com

Alternatively, on Mac OSX the debug logging can be viewed with this command:

  log show --predicate 'subsystem contains "com.cisco.anyconnect.swg" || senderImagePath endswith "acswgagent"' --debug --info --last 2d

These file will be included in the Cisco AnyConnect DART file. Since the max debug logging will generate verbose logs, please make sure the appropriate size of the Umbrella Roaming Security Module log has been configured in the Windows event viewer, especially troubleshooting the intermittent issue.

5. Delete or rename the swg_org_config.flag file to disable the max debug logging once troubleshooting has been completed so it doesn’t continue to generate so many logs.  

Notes

1. The configuration of SWGConfig.json file is case sensitive, it has to be "logLevel":"1".   The value of "logLevel" is a string 1 instead of an integer, therefore it has to be "1" with double-quotes.
2.  The file extension of "swg_org_config.flag" has to be .flag, especially make sure it is not a .txt file in the Windows.
3. The max debug logging will generate sophisticated logs, please only enable it while requested by the escalation engineers.