Re: Stealthwatch SMC cant see data from Endpoint Concentrator

xtrikerpd · ‎08-16-2019

Hi, Im running StealthWatch 7.0.2, my collector is getting data from FlowSensor and from ASA, I have also ISE-PIC, everything is working except Endpoint Concentrator, which is also sending data to collector(I have verified via tcpdump), but data are not shown in SMC.

When I login to Java GUI I can see new exporter with no errors, but with zero received flows.

Any suggestions please ?

Marvin Rhoads · ‎08-20-2019

Have you consulted the Installation and Configuration Guide section on Troubleshooting the Endpoint Concentrator?

Here's what it recommends:

After the AnyConnect Agents and the Endpoint Concentrator have been configured, there are a few items that can be checked to determine if the system is operational. These steps may be used if it is determined that the system is not processing data as expected.
1. Validate that the Endpoint Concentrator is receiving flows from the AnyConnect Agents to the Collector.
l
Enable SSH access to the Endpoint Concentrator via the web admin page.
l
Configuration > Services – Check Enable SSH
2. SSH into the Endpoint Concentrator, run “docker ps”:
l
Validate that there are four entries that contain kafka, netflow-parser, zoo-keeper, and netflow-generator. Note that the Container IDs and Image ver-sions will differ.
l
If not they are not running, restart the Services from the appliance.
3. Change Directories to “/lancope/var/logs/containers” and run “tail –f netflow-pars-er.log”. Verify in the Stats print out that the counts are not zero.
4. Now, run “tail –f netflow-generator.log”. Verify in the Stats print out that the counts are not zero. If the stats read as below, the Endpoint Concentrator is not producing Netflow.
5. Validate AnyConnect Agents can send data to the Endpoint Concentrator.
l
On one of the machines running the AnyConnect Agent, open a terminal or command prompt and run “ping <IPofEndpointConcentrator>”.
l
If there are response bytes, the Agent most likely can export to the Endpoint Concentrator.

bmcinnis · ‎08-20-2019

The AnyConnect clients should be exporting nvzFlow to the endpoint concentrator. The endpoint concentrator will then convert the telemetry to digestible Netflow(IPFIX) and push the telemetry to the Flow Collector.

From your inquiry it sounds like the clients are shipping nvzFlow directly to the FC which is not supported.

Additionally, this solution requires that a Netflow enabled device sees a flow record of the conversation being generated in the AnyConnect session. The Netflow record from the AnyConnect session must also be sent to the same collector. Without the flow record, the flow collector's engine will have no way to associate the IPFIX telemetry and will drop the data.

If you have verified the above, I recommend reaching out to Stealthwatch support. You can open a case at the below link and also find the associated phone numbers to reach support :

https://www.cisco.com/c/en/us/support/index.html

Best,

Ben

brford · ‎08-22-2019

Ben makes a couple of important points here.

Meta data from the AnyConnect Network Visibility Module (NVM has to be sent to an Endpoint Concentrator. That meta data is 'NZFlow' not NetFlow or IPFIX. That meta data is not able to be processed at a Flow Collector and requires the Endpoint Concentrator to create IPFIX data that the Flow Collector can process.

Another important point is that NZFlow or endpoint meta data is stitched into Flow Collector connection records. You need to have either NetFlow or IPFIX data about a connection to add endpoint data in to. That means the connection has to also pass through a NetFlow or IPFIX capable device. Often this is the switch or WLC the endpoint is connecting to OR a router that the switch or WLC is connected to.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.