All Apps and Add-ons

Cisco AnyConnect Network Visibility Module (NVM) App for Splunk: Why does nothing appear in Splunk dashboard?

moazelzhrawey
New Member

Hello team,.
I've the following topology:
PC with Cisco Anyconnect configured with NVM ------ Collector ------ Splunk Enterprise with Cisco AnyConnect Network Visibility Module (NVM) App for Splunk

Now, everything is working fine from Wireshark perspective, I'm receiving flows on collector, and collector send it to Splunk enterprise.
Issue is, that on Splunk, I can't see anything on dashboards, why?
One more thing: the captured data on Splunk server appears with SRC IP of the VPN client, and DST IP is the collector..why?

And, why i can't capture traffic destined to 20519 and 20520 on Splunk server? I capture only the traffic as mentioned above destined to port 2055

0 Karma
1 Solution

gpareesi11
Path Finder

Hi guys,

I have deployed the solution using NVM collector on CentOS 7 and Splunk 6.6.1 running on Windows.

The only issue I've seen was the firewall on my CentOS blocking the port 2055, after stopping and disabling the firewall, a few minutes later, NVM Dashboard has been populated with data.

Your acnvm.conf, look correct, verify Splunk Data Input UDP port 20519, 20520 and 20521, and the firewall not blocking these ports on Splunk Server.

Thanks
Guillaume

View solution in original post

moazelzhrawey
New Member

Hello gents,
Good day.
I've been working on this, and I made this changes to my lab:
- Disabled Firewall
- Changed the topology to make the collector and Splunk server in two different subnets.
(I'm not sure that this is major or not, but saw couple of discussions saying that Collector will not send the packets unless it rewritten first)
However, it might work even if they were in the same subnet.
The root cause of the issue was the Firewall on Collector Server, basically it was Centos 7.
For reference, Firewall was allowing traffic on port 2055 - In direction by default, but it was very restrictive in out direction.
I hope you find my answer helpful.

0 Karma

gpareesi11
Path Finder

Hi guys,

I have deployed the solution using NVM collector on CentOS 7 and Splunk 6.6.1 running on Windows.

The only issue I've seen was the firewall on my CentOS blocking the port 2055, after stopping and disabling the firewall, a few minutes later, NVM Dashboard has been populated with data.

Your acnvm.conf, look correct, verify Splunk Data Input UDP port 20519, 20520 and 20521, and the firewall not blocking these ports on Splunk Server.

Thanks
Guillaume

moazelzhrawey
New Member

any update ?

0 Karma

Richfez
SplunkTrust
SplunkTrust

That is helpful to some extent. I agree something's not right, but I'm not an expert with this. Still, I do what I can and that's to a) bump this as I am doing and b) see if I can generally help even if I can't specifically help. So to that end:

Have you seen this answer? "How to install .... " which isn't about installing it, but is about making it work with a problem that may be similar to yours.

Also, double-check everything in the installation docs here very carefully. Apparently from the above link it's possible certain things even have to be done in the right order or else they won't work.

If all else fails you could browse through the Cisco docs for "Installation and Configuration of Cisco Network Visibility Module Through AnyConnect 4.2.x and Splun..." and see if that helps. If you have a Cisco support contract you could try to get Cisco to answer questions about it, but I doubt they will. For what it's worth, Cisco seems to make almost anything except syslog overly difficult and convoluted, then make docs that don't cover the problems anyone has and then, to top it off, don't actively support the product. So this is a common problem in general with their solutions.

Don't lose hope here yet either - it may still be that someone can help. But it looks from the general level of activity in this app's Answers that not many folks use it.

BY THE WAY - if you resolve this yourself in the meantime, please do write up the answer as an Answer here then mark it as accepted! Totally legitimate to do that in cases like this, and maybe that will help the next person who has a similar problem!

Here's to hopefully happy Splunking!
-Rich

0 Karma

Richfez
SplunkTrust
SplunkTrust

There are several points you are making or asking in here. A few clarifying questions:

You say the collector sends it on to Splunk - you know this because wireshark on the Splunk server shows the traffic coming in? Is that right? Or do you only know that your collector is throwing packets toward your Splunk server? Specifics can matter, here, to keep us from chasing our tails.

For the SRC vs. DST IP, please paste in an example of what you see that says this. Be sure to use the code button so it comes through completely!

As to your 201519 and 20520 port traffic and not capturing it - did you set up Splunk to listen to that network port? What mentioned-above 2055 traffic are you talking about, I don't see any traffic mentioned on that port so I assume it's one of the flow collector ports? Please clarify if you can - I think this will help those who might be able to help you understand your situation better.

0 Karma

moazelzhrawey
New Member

Hello rich..,
Thank you for quick reply.
First of all, attached my topology,

alt text

http://imgur.com/a/oUWun

As you see, Collector IP is 192.168.222 and Splunk instance is 192.168.8.105.
Now, I started wireshark session on Splunk hosting server, here a sample of the capture,

alt text

http://imgur.com/a/OYuy3

SRC : is the laptop after connected through VPN. (192.168.8.55)
As you see, it's wrong, because traffic should be destined to 192.168.8.105 (Splunk Server)
As per acnvm.conf script on Collector server, here is the configuration

alt text

http://imgur.com/a/ZRlRe

And, I've configured Cisco Anyconnect NVM profile on Cisco ASA firewall to push the ip of the collector: 192.168.8.222 on port 2055

Now, why I can't see a traffic captured on Splunk server saying:
src ip: 192.168.8.55 (vpn client)
dst ip: 192.168.8.105 (splunk server) ## this traffic should be redirected from the collector and sent to splunk instance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...