All Apps and Add-ons

How to install Cisco AnyConnect Network Visibility Module (NVM) App for Splunk??

New Member

I tried to install the NWM app in Splunk enterprise , managed to download the xml profile in the anyconnect client pointing to the Splunk Ip Address, but i cant see packets going on the port I specified 2055.

0 Karma
1 Solution

Explorer

It looks like the collector never received the netflow templates from your client. This is possible if you had your client configured and running before the collector was started. The collector needs to receive the netflow templates in order to process the netflow records from the endpoint.
Try restarting the nvmagent service on your client or make some changes to your NVM client profile (and revert it back to the right settings). The template is sent from the client when one of the following events occur:
1. There is a change in the NVM profile
2. There is a network change event
3. The nvmagent service is restarted.

View solution in original post

0 Karma

New Member

Thanks,

Everything seems to be working now, splunk seems to be amazing but every app seems to be configured different , im working on all the cisco security apps, I Installed for Firesight and for cisco ASA but theres no different tab for those like in NVM, is there a easy way to go?

0 Karma

Path Finder

Hi,

Splunk is an amazing tool as you note. NVM will remain as a separate offering from those other tools.

0 Karma

New Member

Hello team,.
I've the following topology:
PC with Cisco Anyconnect configured with NVM ------ Collector ------ Splunk Enterprise with NVM addon

Now, everything is working fine from Wiresahrk perspective, I'm receiving flows on collector, and collector send it to Splunk enterprise.
Issue is, that on splunk, I can't see anything on dashboards, why?
One more thing: the captured data on Splunk server appears with SRC IP of the VPN client, and DST IP is the collector..why?

And, why i can't capture traffic destined to 20519 and 20520 on Splunk server? I capture only the traffic as mentioned above destined to port 2055

0 Karma

Explorer

It looks like the collector never received the netflow templates from your client. This is possible if you had your client configured and running before the collector was started. The collector needs to receive the netflow templates in order to process the netflow records from the endpoint.
Try restarting the nvmagent service on your client or make some changes to your NVM client profile (and revert it back to the right settings). The template is sent from the client when one of the following events occur:
1. There is a change in the NVM profile
2. There is a network change event
3. The nvmagent service is restarted.

View solution in original post

0 Karma

New Member

Hello team,.
I've the following topology:
PC with Cisco Anyconnect configured with NVM ------ Collector ------ Splunk Enterprise with NVM addon

Now, everything is working fine from Wiresahrk perspective, I'm receiving flows on collector, and collector send it to Splunk enterprise.
Issue is, that on splunk, I can't see anything on dashboards, why?
One more thing: the captured data on Splunk server appears with SRC IP of the VPN client, and DST IP is the collector..why?

And, why i can't capture traffic destined to 20519 and 20520 on Splunk server? I capture only the traffic as mentioned above destined to port 2055

0 Karma

New Member

Thank you ,

I Installed this collector in a Kali Linux Box i had and i keeps showing me that message

alt text

no templates for flowset 258 , the exporter is my ip address in anyconnect, i dont know if i supposed to use another centos box, the conf file is configured to send the syslog to the right ip address but there s no info there

0 Karma

Explorer

Hi edufernandez2,
Did you install the collector ? The collector is a daemon service that needs to be installed on the server that your client profile is pointing to. The instructions to install the collector are available under the "Help>Install Guide" section on the Splunk App.
Also, please note that the collector can only be installed on Linux 64 bit machines.

-Vijay

0 Karma

Path Finder

Hi,

There are a few things you need to do.


AnyConnect:

  1. Configure NVM Profile.
  2. Configure TND setting in VPN profile.

The client will only send IPFIX (nvzFlow) when it has determined that it is on a trusted network.


Install and configure the Splunk App. In the install directory is the IPFIX(nvzFlow)-to-syslog component, that you need to manually install on a Linux 64 bit system.


Reboot the AnyConnect client after completing both steps and verify with a tool such as Wireshark, that you are seeing IPFIX(nvzFlow) packets leaving the device on the configured port.

0 Karma