09-05-2019 12:49 PM
I have a situation in which I am trying to determine what process is generating periodic UDP Netbios traffic from several workstations destined to a non-DC server. This traffic is getting blocked by my firewall, so the traffic is only observed leaving the endpoint, i.e. no return traffic is received by the endpoint. I have the Endpoint Concentrator setup, and is receiving flows from the endpoint - I can see process names for other flows, but not for this particular traffic. In fact, when filtering my search to only this traffic from my endpoint concentrator I do not see the flow at all. So it appears that the endpoint isn't sending a flow record for this traffic - could this be because the traffic is unidirectional? I would hope not, but can't see any other explanation why I see flows from my endpoint concentrator for other traffic.
-Thanks
09-08-2019 12:07 AM
@dlucas is there any network device that is exporting network flows for that specific traffic before getting it blocked by the Firewall ?
09-09-2019 11:05 AM
09-09-2019 11:46 AM
09-09-2019 09:45 PM
The rules applied when flows are coming from NVM:
"The Flows from an endpoint concentrator will be consumed and stitched only if they match with a related flow from a network device for the same conversation" if they don't they will be dropped.
"Flows from the an NVM are only generated from an endpoint if it is the source of the traffic and only at the end of the session"
by applying these rules this could explain the behavior you are seeing.
09-10-2019 05:58 AM
Thanks for the reply,
"The Flows from an endpoint concentrator will be consumed and stitched only if they match with a related flow from a network device for the same conversation" if they don't they will be dropped."
I see the flows from other devices in my searches, so I know it's not because of this.
"Flows from the an NVM are only generated from an endpoint if it is the source of the traffic and only at the end of the session"
According to the Anyconnect config guide, there is a setting that controls this behavior - I currently have this enabled, and set to 60 seconds, so I should be receiving flow information at the beginning, every 60 seconds, and at the end of the session:
"Periodic Flow Reporting(Optional, applies to desktop only)—Click to enable periodic flow reporting. By default, NVM sends information about the flow at the end of connection (when this option is disabled). If you need periodic information on the flows even before they are closed, set an interval in seconds here. The value of 0 means the flow information is sent at the beginning and at the end of each flow. If the value is n, the flow information will be sent at the beginning, every n seconds, and at the end of each flow. Use this setting for tracking long-running connections, even before they are closed. "
I am going to try setting the periodic interval to 0, and see if that makes a difference..
09-13-2019 11:56 AM
09-15-2019 10:19 PM
HI dlucas,
it seems from the other post for the same subject by you shows that the traffic has been denied by the firewall, all other flows not denied you can see the process. This is what I was trying to detail before, the endpoint flow has to has a related netflow record from the network, if the firewall has blocked it and no netflow record from the network is related to the same conversation the end point flows will not be considered.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide