Cisco Anyconnect SWG: How to enable the max debug logging.

Overview

 This guide explains the steps to enable the max debug logging of the Cisco Anyconnect SWG module.  It's useful to enable the max debug logging of Anyconnect SWG module to fully understand the details of each step performed by the SWG module when troubleshooting the issue of SWG module like website access issue or which connection is getting intercepted etc.

Steps

By default, the max debug logging is not enabled and also not a configurable option via the Umbrella dashboard or ASA side. To enable this, need to manually add "logLevel":"1" to the "orgConfig" object of SWGConfig.json. 

Location of SWGConfig.json

On Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\SWG

On MacOS: /opt/cisco/anyconnect/umbrella/swg

However the modified SWGConfig.json file will only last for around 1 hour till the next API sync performed by the Cisco Anyconnect Umbrella module. In order to make this max debug logging configuration persistent without been overwritten by the API sync, we could use a swg_org_config.flag file in the umbrella/data folder and here are the steps:

1. Create a new file named "swg_org_config.flag" in umbrella/data folder. The file extension has to be .flag.

On Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data

On MacOS: /opt/cisco/anyconnect/umbrella/data

2. Copy the contents of the "orgConfig" object from SWGConfig.json file to "swg_org_config.flag" file and then append with  "logLevel":"1". For example:

{ "exceptionList": [ "www.example.com", "smh.com.au", "*.smh.com.au", "www.blue.com", "*.www.blue.com", "146.112.133.72", "146.112.133.73", "146.112.133.76", "146.112.193.40", "146.112.193.41", "146.112.193.85", "146.112.193.87", "146.112.193.88", "146.112.194.36", "146.112.194.37", "146.112.194.38", "146.112.194.39", "146.112.194.75", "146.112.194.77", "146.112.194.78", "146.112.194.80", "146.112.194.82", "146.112.194.83", "146.112.195.42", "146.112.195.43", "146.112.195.90", "146.112.195.92", "146.112.195.93", "146.112.196.36", "146.112.196.37", "146.112.196.75", "146.112.196.77", "146.112.196.78", "146.112.198.40", "146.112.198.41", "146.112.198.85", "146.112.198.87", "146.112.198.88", "146.112.200.40", "146.112.200.41", "146.112.200.85", "146.112.200.87", "146.112.200.88", "146.112.201.36", "146.112.201.37", "146.112.201.38", "146.112.201.39", "146.112.201.75", "146.112.201.77", "146.112.201.78", "146.112.201.80", "146.112.201.82", "146.112.201.83", "146.112.203.36", "146.112.203.37", "146.112.203.75", "146.112.203.77", "146.112.203.78", "146.112.211.32", "146.112.211.33", "146.112.211.34", "146.112.211.35", "146.112.211.36", "146.112.211.37", "146.112.211.64", "146.112.211.66", "146.112.211.67", "146.112.211.68", "146.112.211.70", "146.112.211.71", "146.112.211.72", "146.112.211.74", "146.112.211.75", "146.112.61.0/24", "204.194.237.151", "204.194.237.152", "204.194.237.154", "204.194.237.155", "204.194.237.156", "204.194.237.157", "204.194.237.159", "204.194.237.160", "204.194.237.161", "204.194.237.162", "204.194.237.164", "204.194.237.165", "204.194.237.166", "204.194.237.167", "204.194.237.169", "204.194.237.170", "204.194.237.249", "204.194.237.25", "204.194.237.250", "204.194.237.251", "204.194.237.252", "204.194.237.26", "204.194.237.29", "204.194.237.30", "204.194.237.34", "204.194.238.12", "204.194.238.136", "204.194.238.137", "204.194.238.139", "204.194.238.140", "204.194.238.141", "204.194.238.142", "204.194.238.144", "204.194.238.145", "204.194.238.146", "204.194.238.147", "204.194.238.149", "204.194.238.150", "204.194.238.151", "204.194.238.152", "204.194.238.154", "204.194.238.155", "204.194.238.156", "204.194.238.157", "204.194.238.159", "204.194.238.16", "204.194.238.160", "204.194.238.20", "204.194.238.236", "204.194.238.237", "204.194.238.248", "204.194.238.249", "204.194.238.25", "204.194.238.250", "204.194.238.26", "204.194.238.29", "204.194.239.141", "204.194.239.142", "204.194.239.144", "204.194.239.145", "204.194.239.146", "204.194.239.147", "204.194.239.149", "204.194.239.150", "204.194.239.151", "204.194.239.152", "204.194.239.154", "204.194.239.155", "204.194.239.156", "204.194.239.157", "204.194.239.159", "204.194.239.16", "204.194.239.160", "204.194.239.20", "204.194.239.249", "204.194.239.25", "204.194.239.250", "204.194.239.251", "204.194.239.252", "204.194.239.26", "204.194.239.29", "208.67.216.151", "208.67.216.152", "208.67.216.154", "208.67.216.155", "208.67.216.156", "208.67.216.157", "208.67.216.159", "208.67.216.160", "208.67.216.25", "208.67.216.251", "208.67.216.252", "208.67.216.26", "208.67.216.29", "208.67.217.151", "208.67.217.152", "208.67.217.154", "208.67.217.155", "208.67.217.156", "208.67.217.157", "208.67.217.159", "208.67.217.160", "208.67.217.25", "208.67.217.251", "208.67.217.252", "208.67.217.26", "208.67.217.29", "208.67.217.30", "208.67.219.151", "208.67.219.152", "208.67.219.154", "208.67.219.155", "208.67.219.156", "208.67.219.157", "208.67.219.159", "208.67.219.160", "208.67.219.25", "208.67.219.251", "208.67.219.252", "208.67.219.26", "208.69.32.151", "208.69.32.152", "208.69.32.154", "208.69.32.155", "208.69.32.156", "208.69.32.157", "208.69.32.159", "208.69.32.160", "208.69.32.161", "208.69.32.162", "208.69.32.164", "208.69.32.165", "208.69.32.166", "208.69.32.167", "208.69.32.169", "208.69.32.170", "208.69.32.25", "208.69.32.250", "208.69.32.251", "208.69.32.252", "208.69.32.253", "208.69.32.26", "208.69.32.29", "208.69.32.30", "208.69.32.34", "208.69.33.151", "208.69.33.152", "208.69.33.154", "208.69.33.155", "208.69.33.156", "208.69.33.157", "208.69.33.159", "208.69.33.160", "208.69.33.25", "208.69.33.251", "208.69.33.252", "208.69.33.26", "208.69.33.29", "208.69.34.151", "208.69.34.152", "208.69.34.154", "208.69.34.155", "208.69.34.156", "208.69.34.157", "208.69.34.159", "208.69.34.160", "208.69.34.25", "208.69.34.251", "208.69.34.252", "208.69.34.26", "208.69.35.151", "208.69.35.152", "208.69.35.154", "208.69.35.155", "208.69.35.156", "208.69.35.157", "208.69.35.159", "208.69.35.160", "208.69.35.25", "208.69.35.251", "208.69.35.252", "208.69.35.26", "208.69.36.124", "208.69.36.125", "208.69.36.151", "208.69.36.152", "208.69.36.154", "208.69.36.155", "208.69.36.156", "208.69.36.157", "208.69.36.159", "208.69.36.160", "208.69.36.25", "208.69.36.26", "208.69.36.29", "208.69.36.30", "208.69.37.151", "208.69.37.152", "208.69.37.154", "208.69.37.155", "208.69.37.156", "208.69.37.157", "208.69.37.159", "208.69.37.160", "208.69.37.25", "208.69.37.251", "208.69.37.252", "208.69.37.26", "67.215.82.151", "67.215.82.152", "67.215.82.154", "67.215.82.155", "67.215.82.156", "67.215.82.157", "67.215.82.159", "67.215.82.160", "67.215.82.25", "67.215.82.251", "67.215.82.252", "67.215.82.26", "67.215.83.151", "67.215.83.152", "67.215.83.154", "67.215.83.155", "67.215.83.156", "67.215.83.157", "67.215.83.159", "67.215.83.160", "67.215.83.25", "67.215.83.251", "67.215.83.252", "67.215.83.26", "67.215.84.151", "67.215.84.152", "67.215.84.154", "67.215.84.155", "67.215.84.156", "67.215.84.157", "67.215.84.159", "67.215.84.160", "67.215.84.25", "67.215.84.251", "67.215.84.252", "67.215.84.26", "67.215.85.151", "67.215.85.152", "67.215.85.154", "67.215.85.155", "67.215.85.156", "67.215.85.157", "67.215.85.159", "67.215.85.160", "67.215.85.25", "67.215.85.251", "67.215.85.252", "67.215.85.26", "67.215.86.151", "67.215.86.152", "67.215.86.154", "67.215.86.155", "67.215.86.156", "67.215.86.157", "67.215.86.159", "67.215.86.160", "67.215.86.25", "67.215.86.251", "67.215.86.252", "67.215.86.26", "67.215.95.130", "67.215.95.131", "67.215.95.133", "67.215.95.146", "67.215.95.170", "67.215.95.171", "67.215.95.173", "67.215.95.186", "67.215.95.190", "67.215.95.191", "67.215.95.193", "67.215.95.194", "67.215.95.25", "67.215.95.26", "67.215.95.27", "67.215.70.40", "67.215.70.42", "67.215.70.126", "146.112.62.105", "67.215.92.0/23", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::/0", "208.67.220.220", "208.67.220.222", "208.67.222.220", "208.67.222.222", "ocsp.int-x3.letsencrypt.org", "isrg.trustid.ocsp.identrust.com", "*.opendns.com", "*.umbrella.com", "*.ultipro.com", "*.ultiproworkplace.com", "*.ultimatesoftware.com", "*.ultipro.ca", "*.ultiprotime.com", "*.ultiprorecruit.com", "*.ultipro-time-management.com" ], "failOpen": 1, "logLevel":"1"}

3. The "logLevel":"1" will be added into SWGConfig.json file automatically after the next API sync.

4. Detailed log of each step of Anyconnect SWG module will be logged in the Cisco Anyconnect Umbrella Roaming Security Module log which can be viewed via Windows Event Viewer. For example

BRIDGE | Thread 1d18 | Connection : Resolved IP from 'swg-url-proxy-https.sigproxy.qq.opendns.com' is 146.112.57.199

THREAD | Thread 1d18 | SetGUID '959bfe4d6fba87a65b433321c6748d761d9492cb'

LISTEN | Thread 1d18 | Connection : Hostnames from KDF are login.live.com

Alternatively, on Mac OSX the debug logging can be viewed with this command:

  log show --predicate 'subsystem contains "com.cisco.anyconnect.swg" || senderImagePath endswith "acswgagent"' --debug --info --last 2d

These file will be included in the Cisco Anyconnect DART file. Since the max debug logging will generate verbose logs, please make sure the appropriate size of the Umbrella Roaming Security Module log has been configured in the Windows event viewer, especially troubleshooting the intermittent issue.

5. Delete or rename the swg_org_config.flag file to disable the max debug logging once troubleshooting has been completed so it doesn’t continue to generate so many logs.  

Notes

1. The configuration of SWGConfig.json file is case sensitive, it has to be "logLevel":"1".   The value of "logLevel" is a string 1 instead of an integer, therefore it has to be "1" with double-quotes.
2.  The file extension of "swg_org_config.flag" has to be .flag, especially make sure it is not a .txt file in the Windows.
3. The max debug logging will generate sophisticated logs, please only enable it while requested by the escalation engineers.