browse
Overview
This guide explains the steps to enable the max debug logging on the Cisco AnyConnect SWG module. It's useful to understand the details of each step performed by the SWG module when debugging issues like:
* Issue with Hotspots via Captive Portal
* External Domain Bypass List is not taking effect
* Intermittent DNS or Web performance issue
Steps to enable max debug logging on Windows & MAC OS for old versions of AnyConnect and Cisco Secure Client.
If you are using latest version of Anyconnect or CSC, please skip this section and go to how to enable debugging on CSC 5.0 MR3 and AC 4.10 MR8.
AC 4.10 MR7 and CSC 5.0 MR2 or older versions follow below steps.
By default, the max debug logging is not enabled. It is also NOT configurable via the Umbrella dashboard or ASA. To enable it, we need to manually add "logLevel": "1" to the "orgConfig" object of SWGConfig.json.
Location of SWGConfig.json
Windows(AnyConnect): C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\SWG\
Windows(Secure Client): C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\SWG\
MacOS(AnyConnect): /opt/cisco/anyconnect/umbrella/swg/
MacOS(Secure Client): /opt/cisco/secureclient/umbrella/swg
However the modified SWGConfig.json file will only last for a short period of time till the next API sync is performed by the Cisco AnyConnect Umbrella module. In order to make this max debug logging configuration persistent without being overwritten by the API sync, we can deploy swg_org_config.flag file in the umbrella/data folder. Here are the steps:
1. Create a new file named "swg_org_config.flag" in the umbrella data folder. The file extension must to be in .flag extension.
Windows(AnyConnect): C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data\swg_org_config.flag
Windows(Secure Client): C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\data\swg_org_config.flag
MacOS(AnyConnect): /opt/cisco/anyconnect/umbrella/data/swg_org_config.flag
MacOS(Secure Client): /opt/cisco/secureclient/umbrella/data/swg_org_config.flag
2. Copy the contents of the "orgConfig" object from the SWGConfig.json file to the "swg_org_config.flag" file and then append with "logLevel": "1". For example:
{ "exceptionList": [ "www.example.com", "smh.com.au", "*.smh.com.au", "www.blue.com", "*.www.blue.com", "146.112.133.72", "146.112.133.73", "146.112.133.76", "146.112.193.40", "146.112.193.41", "146.112.193.85", "146.112.193.87", "146.112.193.88", "146.112.194.36", "146.112.194.37", "146.112.194.38", "146.112.194.39", "146.112.194.75", "146.112.194.77", "146.112.194.78", "146.112.194.80", "146.112.194.82", "146.112.194.83", "146.112.195.42", "146.112.195.43", "146.112.195.90", "146.112.195.92", "146.112.195.93", "146.112.196.36", "146.112.196.37", "146.112.196.75", "146.112.196.77", "146.112.196.78", "146.112.198.40", "146.112.198.41", "146.112.198.85", "146.112.198.87", "146.112.198.88", "146.112.200.40", "146.112.200.41", "146.112.200.85", "146.112.200.87", "146.112.200.88", "146.112.201.36", "146.112.201.37", "146.112.201.38", "146.112.201.39", "146.112.201.75", "146.112.201.77", "146.112.201.78", "146.112.201.80", "146.112.201.82", "146.112.201.83", "146.112.203.36", "146.112.203.37", "146.112.203.75", "146.112.203.77", "146.112.203.78", "146.112.211.32", "146.112.211.33", "146.112.211.34", "146.112.211.35", "146.112.211.36", "146.112.211.37", "146.112.211.64", "146.112.211.66", "146.112.211.67", "146.112.211.68", "146.112.211.70", "146.112.211.71", "146.112.211.72", "146.112.211.74", "146.112.211.75", "146.112.61.0/24", "204.194.237.151", "204.194.237.152", "204.194.237.154", "204.194.237.155", "204.194.237.156", "204.194.237.157", "204.194.237.159", "204.194.237.160", "204.194.237.161", "204.194.237.162", "204.194.237.164", "204.194.237.165", "204.194.237.166", "204.194.237.167", "204.194.237.169", "204.194.237.170", "204.194.237.249", "204.194.237.25", "204.194.237.250", "204.194.237.251", "204.194.237.252", "204.194.237.26", "204.194.237.29", "204.194.237.30", "204.194.237.34", "204.194.238.12", "204.194.238.136", "204.194.238.137", "204.194.238.139", "204.194.238.140", "204.194.238.141", "204.194.238.142", "204.194.238.144", "204.194.238.145", "204.194.238.146", "204.194.238.147", "204.194.238.149", "204.194.238.150", "204.194.238.151", "204.194.238.152", "204.194.238.154", "204.194.238.155", "204.194.238.156", "204.194.238.157", "204.194.238.159", "204.194.238.16", "204.194.238.160", "204.194.238.20", "204.194.238.236", "204.194.238.237", "204.194.238.248", "204.194.238.249", "204.194.238.25", "204.194.238.250", "204.194.238.26", "204.194.238.29", "204.194.239.141", "204.194.239.142", "204.194.239.144", "204.194.239.145", "204.194.239.146", "204.194.239.147", "204.194.239.149", "204.194.239.150", "204.194.239.151", "204.194.239.152", "204.194.239.154", "204.194.239.155", "204.194.239.156", "204.194.239.157", "204.194.239.159", "204.194.239.16", "204.194.239.160", "204.194.239.20", "204.194.239.249", "204.194.239.25", "204.194.239.250", "204.194.239.251", "204.194.239.252", "204.194.239.26", "204.194.239.29", "208.67.216.151", "208.67.216.152", "208.67.216.154", "208.67.216.155", "208.67.216.156", "208.67.216.157", "208.67.216.159", "208.67.216.160", "208.67.216.25", "208.67.216.251", "208.67.216.252", "208.67.216.26", "208.67.216.29", "208.67.217.151", "208.67.217.152", "208.67.217.154", "208.67.217.155", "208.67.217.156", "208.67.217.157", "208.67.217.159", "208.67.217.160", "208.67.217.25", "208.67.217.251", "208.67.217.252", "208.67.217.26", "208.67.217.29", "208.67.217.30", "208.67.219.151", "208.67.219.152", "208.67.219.154", "208.67.219.155", "208.67.219.156", "208.67.219.157", "208.67.219.159", "208.67.219.160", "208.67.219.25", "208.67.219.251", "208.67.219.252", "208.67.219.26", "208.69.32.151", "208.69.32.152", "208.69.32.154", "208.69.32.155", "208.69.32.156", "208.69.32.157", "208.69.32.159", "208.69.32.160", "208.69.32.161", "208.69.32.162", "208.69.32.164", "208.69.32.165", "208.69.32.166", "208.69.32.167", "208.69.32.169", "208.69.32.170", "208.69.32.25", "208.69.32.250", "208.69.32.251", "208.69.32.252", "208.69.32.253", "208.69.32.26", "208.69.32.29", "208.69.32.30", "208.69.32.34", "208.69.33.151", "208.69.33.152", "208.69.33.154", "208.69.33.155", "208.69.33.156", "208.69.33.157", "208.69.33.159", "208.69.33.160", "208.69.33.25", "208.69.33.251", "208.69.33.252", "208.69.33.26", "208.69.33.29", "208.69.34.151", "208.69.34.152", "208.69.34.154", "208.69.34.155", "208.69.34.156", "208.69.34.157", "208.69.34.159", "208.69.34.160", "208.69.34.25", "208.69.34.251", "208.69.34.252", "208.69.34.26", "208.69.35.151", "208.69.35.152", "208.69.35.154", "208.69.35.155", "208.69.35.156", "208.69.35.157", "208.69.35.159", "208.69.35.160", "208.69.35.25", "208.69.35.251", "208.69.35.252", "208.69.35.26", "208.69.36.124", "208.69.36.125", "208.69.36.151", "208.69.36.152", "208.69.36.154", "208.69.36.155", "208.69.36.156", "208.69.36.157", "208.69.36.159", "208.69.36.160", "208.69.36.25", "208.69.36.26", "208.69.36.29", "208.69.36.30", "208.69.37.151", "208.69.37.152", "208.69.37.154", "208.69.37.155", "208.69.37.156", "208.69.37.157", "208.69.37.159", "208.69.37.160", "208.69.37.25", "208.69.37.251", "208.69.37.252", "208.69.37.26", "67.215.82.151", "67.215.82.152", "67.215.82.154", "67.215.82.155", "67.215.82.156", "67.215.82.157", "67.215.82.159", "67.215.82.160", "67.215.82.25", "67.215.82.251", "67.215.82.252", "67.215.82.26", "67.215.83.151", "67.215.83.152", "67.215.83.154", "67.215.83.155", "67.215.83.156", "67.215.83.157", "67.215.83.159", "67.215.83.160", "67.215.83.25", "67.215.83.251", "67.215.83.252", "67.215.83.26", "67.215.84.151", "67.215.84.152", "67.215.84.154", "67.215.84.155", "67.215.84.156", "67.215.84.157", "67.215.84.159", "67.215.84.160", "67.215.84.25", "67.215.84.251", "67.215.84.252", "67.215.84.26", "67.215.85.151", "67.215.85.152", "67.215.85.154", "67.215.85.155", "67.215.85.156", "67.215.85.157", "67.215.85.159", "67.215.85.160", "67.215.85.25", "67.215.85.251", "67.215.85.252", "67.215.85.26", "67.215.86.151", "67.215.86.152", "67.215.86.154", "67.215.86.155", "67.215.86.156", "67.215.86.157", "67.215.86.159", "67.215.86.160", "67.215.86.25", "67.215.86.251", "67.215.86.252", "67.215.86.26", "67.215.95.130", "67.215.95.131", "67.215.95.133", "67.215.95.146", "67.215.95.170", "67.215.95.171", "67.215.95.173", "67.215.95.186", "67.215.95.190", "67.215.95.191", "67.215.95.193", "67.215.95.194", "67.215.95.25", "67.215.95.26", "67.215.95.27", "67.215.70.40", "67.215.70.42", "67.215.70.126", "146.112.62.105", "67.215.92.0/23", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::/0", "208.67.220.220", "208.67.220.222", "208.67.222.220", "208.67.222.222", "ocsp.int-x3.letsencrypt.org", "isrg.trustid.ocsp.identrust.com", "*.opendns.com", "*.umbrella.com", "*.ultipro.com", "*.ultiproworkplace.com", "*.ultimatesoftware.com", "*.ultipro.ca", "*.ultiprotime.com", "*.ultiprorecruit.com", "*.ultipro-time-management.com" ], "failOpen": 1, "logLevel": "1", "swgAnycast": "146.112.255.50", "swgDomain": "swg-url-proxy-https.sigproxy.qq.opendns.com", "swgEchoService": "http://www.msftconnecttest.com/connecttest.txt" }
Please note that the misconfiguration of the flag file could breaks the capturing of the SWG debug logs as well as break SWG from functioning as expected. So pay attention while copying lines from SWGConfig.json and pasting it to swg_org_config.flag file. Do not copy/paste extra lines prior and after.
So the flag file always starts with the --> { "exceptionList": ["www.example.com and etc...] and the flag file always ends with the --> "SWGEchoService": "http://www.msftconecttest.com/connecttest.txt"}
Here is an example of incorrect configuration in yellow and also correct configuration in green
INCORRECT – because it contains identity, deviceId, adUserID, etc, etc - all the highlighted below in yellow because copy/pasted lines prior to { "exceptionList"
CORRECT – where the flag file must start with the { "exceptionList":
3. Restart Cisco AnyConnect Secure Mobility Agent/Secure Client service or reboot the machine or Connect and Disconnect the VPN.
Then VERIFY in the SWGConfig.json that the SWG max debug log level is indeed set showing "logLevel":"1" , you should see the log level set in the SWGConfig.json file after the VPN Connect/Disconnect. Like the example below
Verification and provide max debug logs to Umbrella support
On Windows systems > Windows Event Viewer, if you see the similar log line below, which means Max Debug logging has been enabled successfully.
Example 1:
BRIDGE | Thread 1d18 | Connection : Resolved IP from 'swg-url-proxy-https.sigproxy.qq.opendns.com' is 146.112.57.199
THREAD | Thread 1d18 | SetGUID '959bfe4d6fba87a65b433321c6748d761d9492cb'
Example 2: Any web request being proxied will be logged. Web request is bypassing AnyConnect SWG as per Internal / External Domain List will not be logged.
LISTEN | Thread 1d18 | Connection : Hostnames from KDF are login.live.com
Tips: Use the PowerShell command below to convert max debug event logs (.evtx) into txt:
C:> Get-WinEvent -Path C:\Desktop\Umbrella.evtx | Format-Table -AutoSize | Out-File C:\Desktop\Umbrella.txt -append -width 750
On Mac OSX, the debug logging can be viewed with this command (you can grep or write them in txt). Below is an example when a user browse purple.com while max debug logging is enabled:
AnyConnect
>log show --predicate 'subsystem contains "com.cisco.anyconnect.swg" || senderImagePath endswith "acswgagent"' --debug --info --last 2d | grep -i purple
2022-09-19 10:51:15.627229+1000 0x16b121 Default 0x0 98970 0 acswgagent: Connection : Hostnames from KDF are purple.com.
The max debug logging will be included in the Cisco AnyConnect DART Bundle. Once you have verified max debug logging is enabled successfully, please recreate the issue, record the timestamp/experience/domain in question and send them along with the Cisco AnyConnect DART Bundle
Additional:
Since the max debug logging will generate verbose logs, please make sure the appropriate size of the Umbrella Roaming Security Module log has been configured in the Windows event viewer, especially troubleshooting the intermittent issue.
Delete or rename the swg_org_config.flag file to disable the max debug logging once troubleshooting has been completed so it doesn’t continue to generate the verbose logs.
Steps to enable max debug logging on Windows & MAC OS starting from CSC 5.0 MR3 and AC 4.10 MR8
Summary
There's a simpler way to enable Debug level logging on SWG module now, starting from 5.0 MR3 and 4.10 MR8 (MR8 not released yet though).
What is changed?
1. One has to just copy the SWGConfigOverride.json file (with the static content) in the SWG folder in order to enable debug logging.
2. No need to worry about copying the contents of orgConfig from SWGConfig.json and modifying its contents, making this less error prone. The contents of this file won’t change org to org as well.
3. No need to rely on the DNS module to perform config sync and read from the flag file to update the contents of SWGConfig.json. With this new process, SWGConfig.json remains untouched and dependency on DNS module is removed.
How to enable SWG Debug logging starting from AC 4.10 MR8 and CSC 5.0 MR3
Starting from Anyconect 4.10. MR8 (yet to be released) and CSC 5.0 MR3 onwards, you no longer need to follow the process mentioned earlier to enable debug logging. You can now enable debug logging by copying a SWGConfigOverride.json file in the SWG folder.
Location of SWG folder:
Windows(AnyConnect): C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\SWG\ Windows(Secure Client): C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\SWG\ MacOS(AnyConnect): /opt/cisco/anyconnect/umbrella/swg/ MacOS(Secure Client): /opt/cisco/secureclient/umbrella/swg
The contents of SWGConfigOverride.json needs to be
{"logLevel": "1"}
in order to enable debug logging.
The config value in SWGConfigOverride.json will take precedence over the value (if present) in SWGConfig.json.
SWGConfigOverride.json can contain and override only two configs – logLevel (to enable/disable debug logging) and autotuning ( to enable/disable send buffer autotuning).
If both need to be enabled the content of SWGConfigOverride.json will be
{"logLevel": "1", "autotuning:"1"}
After the override file is copied, you need to restart SWG service (or Umbrella service) or choose to restart the system itself.
Method to enable debug logging on macOS:
- Copy SWGConfigOverride.json to SWG folder.
- Stop and start AnyConnect/Cisco Secure Client agent using the steps mentioned here
Method to enable debug logging on Windows:
- Copy SWGConfigOverride.json to SWG folder.
- Restart or Stop and Start the Secure Web Gateway (acswgagent in 4.10.x builds /csc_swgagent in 5.x builds) service via the Services MMC snap-in (Start > Run > Services.msc).
NOTE: The older method of enabling debug logging is still supported and can still be followed, and is the only option for clients older than 5.0 MR3 or 4.10 MR8.
- The configuration of the SWGConfig.json file is case sensitive. It has to be "logLevel": "1"
The value of "logLevel" is a string 1 instead of an integer, therefore it has to be "1" with double quotes. - The file extension of "swg_org_config.flag" has to be .flag; make sure it is not a .txt file.
- The max debug logging will generate extremely detailed logs. Please enable this setting only if requested by an Umbrella Support engineer.
- "swg_org_config.flag" contains a list of static bypassed domains and it will not sync with External Domains listed on Dashboard > Deployments > Domain Management.