ASA 9.4.2 (which has Lua 5.0.2), AnyConnect 4.0 on iOS

On the internets, I haven't been able to locate a list of Lua functions available for use with Dynamic Access Policies (DAP) on Cisco's ASA firewall. So I decided to just use Lua running on the ASA to tell me what functions and variables are in global scope. Not quite as good as documentation, but it works for now.

To set it up it, open ASDM and

  • Go to Configuration > Remote Access VPN > Dynamic Access Policies
  • Add
  • Policy Name: list_globals
  • Description: prints a list of Lua globals to the ASA CLI
  • ACL Priority: 50 (or whatever priority you want to assign)
  • User had ALL of the following AAA Attribute values...
  • Add (AAA attribute)
  • AAA Attribute Type: Cisco
  • Username: rchapmandap (replace with the username you use to sign into AnyConnect)
  • OK
  • Click Advanced below the AAA Attributes
  • Paste in this code:
      for k,v in pairs(_G) do
        msg = "k=" .. print_value(k) .. ", v="
        if (type(v) == "function" or type(v) == "table") then
          msg = msg .. tostring(v)
        elseif (type(v) == "string" or type(v) == "number") then
          msg = msg .. v
        elseif (type(v) == "boolean") then
          if (v) then
            msg = msg .. "true"
            msg = msg .. "false"
        msg = msg .. " (" .. type(v) .. ")\n"
      return true
  • For Action, make sure Continue is selected

Now that you have it set up, just need to turn dap tracing on in the CLI and log into AnyConnect one time

  • Log into the ASA CLI
  • Enable dap trace debugging
    fw1/pri/act# debug dap trace
    debug dap trace enabled at level 1
  • Open AnyConnect VPN Client on a device and log in to the VPN so that the DAP rules fire once. Log in make take longer than normal as the DAP trace logs to the CLI.

In the ASA CLI, you'll see something like this:

fw1/pri/act# DAP_TRACE: DAP_open: New DAP Request: A4
DAP_TRACE: Username: rchapmandap, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: rchapmandap, DAP_add_AC:
endpoint.anyconnect.clientversion = "4.0.03016";
endpoint.anyconnect.platform = "apple-ios";
endpoint.anyconnect.devicetype = "iPhone7,2";
endpoint.anyconnect.platformversion = "9.0.2";
endpoint.anyconnect.deviceuniqueid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXX";
endpoint.anyconnect.phoneid = "UNKNOWN:unknown";
endpoint.anyconnect.macaddress["0"] = "unknown";
endpoint.anyconnect.useragent = "AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.0.03016";

DAP_TRACE: aaa.radius["18"]["1"] = "debug_print"
DAP_TRACE: aaa.radius["25"]["1"] = "OU=Test_VPN;"
DAP_TRACE: aaa["cisco"]["grouppolicy"] = "Test_VPN"
DAP_TRACE: aaa["cisco"]["class"] = "Test_VPN"
DAP_TRACE: aaa["cisco"]["username"] = "rchapmandap"
DAP_TRACE: aaa["cisco"]["username1"] = "rchapmandap"
DAP_TRACE: aaa["cisco"]["username2"] = ""
DAP_TRACE: aaa["cisco"]["tunnelgroup"] = "SplitTunnel"
DAP_TRACE: aaa["cisco"]["sceprequired"] = "false"
DAP_TRACE: endpoint["application"]["clienttype"] = "AnyConnect"
DAP_TRACE: endpoint.anyconnect.clientversion  = "4.0.03016"
DAP_TRACE: endpoint.anyconnect.platform  = "apple-ios"
DAP_TRACE: endpoint.anyconnect.devicetype  = "iPhone7,2"
DAP_TRACE: endpoint.anyconnect.platformversion  = "9.0.2"
DAP_TRACE: endpoint.anyconnect.deviceuniqueid  = "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
DAP_TRACE: endpoint.anyconnect.phoneid  = "UNKNOWN:unknown"
DAP_TRACE: endpoint.anyconnect.macaddress["0"]  = "unknown"
DAP_TRACE: endpoint.anyconnect.useragent  = "AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.0.03016"
DAP_TRACE: ============
DAP_TRACE: k=EVAL, v=function: 0x00007fffc7c31cb0 (function)
DAP_TRACE: k=tostring, v=function: 0x00007fffc5b9f8c0 (function)
DAP_TRACE: k=gcinfo, v=function: 0x00007fffc5ba03b0 (function)
DAP_TRACE: k=InCommaList, v=function: 0x00007fffc6019f20 (function)
DAP_TRACE: k=os, v=table: 0x00007fffc5ba1480 (table)
DAP_TRACE: k=dap_records, v=table: 0x00007fffac3b0210 (table)
DAP_TRACE: k=smart_table, v=function: 0x00007fffac3b28c0 (function)
DAP_TRACE: k=eval_LT, v=function: 0x00007fffc601b800 (function)
DAP_TRACE: k=getfenv, v=function: 0x00007fffc5b9f310 (function)
DAP_TRACE: k=p, v=Test_VPN (string)
DAP_TRACE: k=pairs, v=function: 0x00007fffc5b9f650 (function)
DAP_TRACE: k=_TRACEBACK, v=function: 0x00007fffc5ba6e60 (function)
DAP_TRACE: k=assert, v=function: 0x00007fffc5b9fa60 (function)
DAP_TRACE: k=eval_NE, v=function: 0x00007fffc5723950 (function)
DAP_TRACE: k=tonumber, v=function: 0x00007fffc5b9f7f0 (function)
DAP_TRACE: k=print_dap_trees, v=function: 0x00007fffc5627ec0 (function)
DAP_TRACE: k=io, v=table: 0x00007fffc5ba2c90 (table)
DAP_TRACE: k=count, v=1 (number)
DAP_TRACE: k=escape_string, v=function: 0x00007fffac6901d0 (function)
DAP_TRACE: k=lxp, v=table: 0x00007fffc5ba7900 (table)
DAP_TRACE: k=_LOADED, v=table: 0x00007fffc5ba1330 (table)
DAP_TRACE: k=_G, v=table: 0x00007fffc5a73950 (table)
DAP_TRACE: k=coroutine, v=table: 0x00007fffc5ba0d50 (table)
DAP_TRACE: k=install_name_value_pair, v=function: 0x00007fffac690240 (function)
DAP_TRACE: k=versionCompare, v=function: 0x00007fffc6019eb0 (function)
DAP_TRACE: k=eval_GT, v=function: 0x00007fffc5bbc810 (function)
DAP_TRACE: k=loadstring, v=function: 0x00007fffc5ba0620 (function)
DAP_TRACE: k=soap, v=table: 0x00007fffc5baec10 (table)
DAP_TRACE: k=CheckAndMsg, v=function: 0x00007fffb97f4140 (function)
DAP_TRACE: k=string, v=table: 0x00007fffc5ba47a0 (table)
DAP_TRACE: k=xpcall, v=function: 0x00007fffc5a73be0 (function)
DAP_TRACE: k=evaluate_dap_record, v=function: 0x00007fffb9223990 (function)
DAP_TRACE: k=_VERSION, v=Lua 5.0.2 (string)
DAP_TRACE: k=endpoint, v=table: 0x00007fffb973d760 (table)
DAP_TRACE: k=unpack, v=function: 0x00007fffc5b9fb30 (function)
DAP_TRACE: k=oper, v=table: 0x00007fffac68b840 (table)
DAP_TRACE: k=require, v=function: 0x00007fffc5ba06f0 (function)
DAP_TRACE: k=ret, v=true (boolean)
DAP_TRACE: k=install_endpoint_data, v=function: 0x00007fffc63e8350 (function)
DAP_TRACE: k=setmetatable, v=function: 0x00007fffc5b9f240 (function)
DAP_TRACE: k=next, v=function: 0x00007fffc5b9f4b0 (function)
DAP_TRACE: k=indent, v=function: 0x00007fffc646b290 (function)
DAP_TRACE: k=aaa, v=table: 0x00007fffb97f5530 (table)
DAP_TRACE: k=ipairs, v=function: 0x00007fffc5b9f580 (function)
DAP_TRACE: k=init_session_tables, v=function: 0x00007fffac3b3de0 (function)
DAP_TRACE: k=msg, v=k=init_session_tables, v=function: 0x00007fffac3b3de0 (function)
DAP_TRACE: k=rawequal, v=function: 0x00007fffc5b9fc00 (function)
DAP_TRACE: k=lua_dap_debug_trace, v=function: 0x00007fffc5baeda0 (function)
DAP_TRACE: k=collectgarbage, v=function: 0x00007fffc5ba02e0 (function)
DAP_TRACE: k=result, v=true (boolean)
DAP_TRACE: k=newproxy, v=function: 0x00007fffc5ba0c70 (function)
DAP_TRACE: k=matchcount, v=1 (number)
DAP_TRACE: k=eval_EQ, v=function: 0x00007fffac171d30 (function)
DAP_TRACE: k=print_table, v=function: 0x00007fffc6355300 (function)
DAP_TRACE: k=dap_names, v=table: 0x00007fffac3b0290 (table)
DAP_TRACE: k=dap_messages, v=table: 0x00007fffb9f8bb60 (table)
DAP_TRACE: k=eval_LE, v=function: 0x00007fffc5730180 (function)
DAP_TRACE: k=rawset, v=function: 0x00007fffc5a73a40 (function)
DAP_TRACE: k=EVALone, v=function: 0x00007fffc7c31c40 (function)
DAP_TRACE: k=_, v=1 (number)
DAP_TRACE: k=getmetatable, v=function: 0x00007fffc5b9f170 (function)
DAP_TRACE: k=callbacks, v=table: 0x00007fffac5f8400 (table)
DAP_TRACE: k=mt, v=table: 0x00007fffac5f5e80 (table)
DAP_TRACE: k=table, v=table: 0x00007fffc5ba5550 (table)
DAP_TRACE: k=pcall, v=function: 0x00007fffc5a73b10 (function)
DAP_TRACE: k=print_tree, v=function: 0x00007fffc5627e50 (function)
DAP_TRACE: k=DEBUG_DAP_TRACE, v=function: 0x00007fffc64fd1b0 (function)
DAP_TRACE: k=type, v=function: 0x00007fffc5b9f990 (function)
DAP_TRACE: k=print_value, v=function: 0x00007fffc6571520 (function)
DAP_TRACE: k=dump_lua, v=function: 0x00007fffc6525ae0 (function)
DAP_TRACE: k=get_selected_daps, v=function: 0x00007fffc6525a70 (function)
DAP_TRACE: k=eval_GE, v=function: 0x00007fffc64690c0 (function)
DAP_TRACE: k=dapxmlxlate, v=function: 0x00007fffac3b3e50 (function)
DAP_TRACE: k=rawget, v=function: 0x00007fffc5b9fcd0 (function)
DAP_TRACE: k=application, v=table: 0x00007fffbbff7210 (table)
DAP_TRACE: k=debug, v=table: 0x00007fffc5ba0900 (table)
DAP_TRACE: k=print, v=function: 0x00007fffc5b9f720 (function)
DAP_TRACE: k=setfenv, v=function: 0x00007fffc5b9f3e0 (function)
DAP_TRACE: k=sign, v=table: 0x00007fffac170bc0 (table)
DAP_TRACE: k=dofile, v=function: 0x00007fffc5ba0550 (function)
DAP_TRACE: k=error, v=function: 0x00007fffc5b9f0a0 (function)
DAP_TRACE: k=loadfile, v=function: 0x00007fffc5ba0480 (function)
DAP_TRACE: Username: rchapmandap, Selected DAPs: ,msg_Welcome,msg_tunnel_type,list_globals
DAP_TRACE: dap_process_selected_daps: selected 3 records
DAP_TRACE: Username: rchapmandap, dap_aggregate_attr: rec_count = 3
DAP_TRACE: Username: rchapmandap, DAP_close: A4

I'm sure there is more info to be found, but this is all I have time for now. If you find more, please share in the comments...