Configure ZTNA Logging for Troubleshooting

Introduction

This document describes how to collect detailed ZTA troubleshooting logs and when to enable step by step.

Background Information

As organizations increasingly adopt Zero Trust Architecture (ZTA) to secure users, devices, and applications, troubleshooting connectivity and policy enforcement issues have become more complex. Unlike traditional perimeter-based models, ZTA relies on multiple real-time decisions across identity, device posture, network context, and cloud-based policy engines. When issues arise, high-level logs are often insufficient to pinpoint the root cause.

Collecting detailed ZTA level tracing plays a critical role in gaining deep visibility into client behavior, policy evaluation, traffic interception, and cloud service interactions. These traces enable engineers to move beyond symptom based troubleshooting and analyze the exact sequence of events leading to access failures, performance degradation, or unexpected policy outcomes. 

Collecting Logs

Pre-Checks Before Opening a TAC Case

These pre-checks help the TAC team identify the issue more efficiently. Providing this information to the engineers assists them in resolving your problem as quickly as possible:

• What is the issue, and how many users are affected?

• Which OS and versions are impacted?

• Is the issue consistent or intermittent? If intermittent, is it user-specific or widespread?

• Did the issue start after a change, or has it been present since deployment?

• Are there any known triggers?

• Is there a workaround available?

Logs to Collect

• DART bundle

• ZTNA Debug Trace mode logs

• Wireshark capture (all interfaces, including loopback)

• Error messages observed

• Timestamps of the issue

• CSC ZTA module status screenshot

• Username of the affected user

The next sections explain how to enable and collect each of these logs in detail.

Enable ZTNA Debug Trace Mode

Create a file named logconfig.json with these details below:

{ "global": "DBG_TRACE" }

After creating the file, place it in the appropriate location based on the operating system:

• Windows: C:\ProgramData\Cisco\Cisco Secure Client\ZTA

• macOS:/opt/cisco/secureclient/zta

Increase ZTA Log Size in Event Viewer

Windows

• Use Windows + R to open the Run Search write services.msc and press enter.
• Locate the service Cisco Secure Client - Zero trust Access Agent and click Restart. Once its done, verify the CSC ZTA module status to confirm it is active.

MacOS

Stop Service.

sudo "/opt/cisco/secureclient/zta/bin/Cisco Secure Client - Zero Trust Access.app/Contents/MacOS/Cisco Secure Client - Zero Trust Access" uninstall

Start Service.

open -a "/opt/cisco/secureclient/zta/bin/Cisco Secure Client - Zero Trust Access.app"

Enable KDF Logging, Packet Capture, Duo Debug Mode and Dart Bundle

Windows 

Open a CMD with admin privileges and run the next command:

"%ProgramFiles(x86)%\Cisco\Cisco Secure Client\acsocktool.exe" -sdf 0x400080152

• Download DebugView from SysInternal to capture the KDF log.
• Run DebugViewas administratorand enable the next menu options:
• Click Capture.
  • Checkmark Capture Kernel.
  • Checkmark  Enable Verbose Kernel Output.
• Options
  • Checkmark  Clock Time.
  • Checkmark Show Milliseconds.

• Restart the client service via admin prompt:

net stop csc_vpnagent && net start csc_vpnagent

• If net stop csc_vpnagent && net start csc_vpnagentdoes not work, restart Cisco Secure Clientservice from services.msc.

• Enable Duo in Debug mode 

• Start Wireshark Capture.

• Select all the interfaces, and start the packet capture.

• Reproduce the issue, and save KDF LogsandWireshark Capturethen follow the steps to capture DART Bundle.
• Open the Cisco Secure Client Diagnostics & Reporting Tool (DART)with administrator privileges.

• ClickCustom.
  • Include System Information Extensiveand Network Connectivity Test.

• To stop the KDF logging on Windows, use the next command: 

"%ProgramFiles(x86)%\Cisco\Cisco Secure Client\acsocktool.exe" -cdf

Windows Powershell Commands to Enable and Disable, It must be Run as Administrator:

#Enable ZTNA Logs
New-Item -Path "C:\ProgramData\Cisco\Cisco Secure Client\ZTA\logconfig.json" -ItemType "file" -Value '{"global" : "DBG_TRACE"}'
Limit-EventLog -LogName "Cisco Secure Client - Zero Trust Access" -MaximumSize 2240000KB
& "C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe" -sdf 0x400080152
Restart-Service csc_vpnagent
Restart-Service csc_zta_agent

#Disable ZTNA Logs
Remove-Item -Path "C:\ProgramData\Cisco\Cisco Secure Client\ZTA\logconfig.json" 
Limit-EventLog -LogName "Cisco Secure Client - Zero Trust Access" -MaximumSize 6400KB
& "C:\Program Files (x86)\Cisco\Cisco Secure Client\acsocktool.exe" -cdf 0x400080152
Restart-Service csc_vpnagent
Restart-Service csc_zta_agent

MacOS

Open terminal and follow the next command chain to enable KDF Logging on MacOS:

• Stop Service.

sudo "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app/Contents/MacOS/Cisco Secure Client - AnyConnect VPN Service" uninstall

• Enable Flag.

echo debug=0x400080152 | sudo tee /opt/cisco/secureclient/kdf/acsock.cfg

• Start Service.

open -a "/opt/cisco/secureclient/bin/Cisco Secure Client - AnyConnect VPN Service.app"

• Enable Duo in Debug mode.

• Start Wireshark Capture.

• Select all the interfaces, and start the packet capture.

• Reproduce the issue, and save KDF LogsandWireshark Capturethen follow the steps to capture DART Bundle.
• Open the Cisco Secure Client - DART.

• Checkmark the next options:
  • Include Legacy - Cisco AnyConnect Secure Mobility Client Logs.
  • Include System Logs.
• Click Run.

Related Information

• Cisco Technical Support & Downloads
• Cisco Secure Access Help Center
• Cisco SASE Design Guide
• Collecting KDF Logs for Secure Client on Windows and MacOS

Revision History

Revision	Publish Date	Comments
2.0	30-Mar-2026	Updated Alt Text, and Formatting.
1.0	31-Dec-2025	Initial Release