hi,

VPN events:

jcoates-mba:Splunk_TA_cisco-asa jcoates$ pwd
/Users/jcoates/Downloads/Splunk_TA_cisco-asa
jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in vpn
./default/props.conf:41:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:42:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/props.conf:126:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:127:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/transforms.conf:167:# VPN
jcoates-mba:Splunk_TA_cisco-asa jcoates$ 

CIM is looking for tag=network tag=session tag=vpn (http://docs.splunk.com/Documentation/CIM/4.0.0/User/NetworkSessions)

jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in tag
./default/eventtypes.conf:3:#tags = authentication
./default/eventtypes.conf:7:#tags = network communicate
./default/eventtypes.conf:11:#tags = attack ids
jcoates-mba:Splunk_TA_cisco-asa jcoates$ cat default/tags.conf 
[eventtype=cisco_connection]
network = enabled
communicate = enabled

[eventtype=cisco_authentication]
authentication = enabled

[eventtype=cisco_intrusion]
attack = enabled
ids = enabled
jcoates-mba:Splunk_TA_cisco-asa jcoates$ 

This looks like it doesn't have VPN support. Can we get some details on the logs? Feel free to contact me offline, I'd like to get some specific samples.