Hi, Im running StealthWatch 7.0.2, my collector is getting data from FlowSensor and from ASA, I have also ISE-PIC, everything is working except Endpoint Concentrator, which is also sending data to collector(I have verified via tcpdump), but data are not shown in SMC.
When I login to Java GUI I can see new exporter with no errors, but with zero received flows.
Any suggestions please ?
Have you consulted the Installation and Configuration Guide section on Troubleshooting the Endpoint Concentrator?
Here's what it recommends:
After the AnyConnect Agents and the Endpoint Concentrator have been configured, there are a few items that can be checked to determine if the system is operational. These steps may be used if it is determined that the system is not processing data as expected.
1. Validate that the Endpoint Concentrator is receiving flows from the AnyConnect Agents to the Collector.
Enable SSH access to the Endpoint Concentrator via the web admin page.
Configuration > Services – Check Enable SSH
2. SSH into the Endpoint Concentrator, run “docker ps”:
Validate that there are four entries that contain kafka, netflow-parser, zoo-keeper, and netflow-generator. Note that the Container IDs and Image ver-sions will differ.
If not they are not running, restart the Services from the appliance.
3. Change Directories to “/lancope/var/logs/containers” and run “tail –f netflow-pars-er.log”. Verify in the Stats print out that the counts are not zero.
4. Now, run “tail –f netflow-generator.log”. Verify in the Stats print out that the counts are not zero. If the stats read as below, the Endpoint Concentrator is not producing Netflow.
5. Validate AnyConnect Agents can send data to the Endpoint Concentrator.
On one of the machines running the AnyConnect Agent, open a terminal or command prompt and run “ping <IPofEndpointConcentrator>”.
If there are response bytes, the Agent most likely can export to the Endpoint Concentrator.
The AnyConnect clients should be exporting nvzFlow to the endpoint concentrator. The endpoint concentrator will then convert the telemetry to digestible Netflow(IPFIX) and push the telemetry to the Flow Collector.
From your inquiry it sounds like the clients are shipping nvzFlow directly to the FC which is not supported.
Additionally, this solution requires that a Netflow enabled device sees a flow record of the conversation being generated in the AnyConnect session. The Netflow record from the AnyConnect session must also be sent to the same collector. Without the flow record, the flow collector's engine will have no way to associate the IPFIX telemetry and will drop the data.
If you have verified the above, I recommend reaching out to Stealthwatch support. You can open a case at the below link and also find the associated phone numbers to reach support :