How to Configure Cisco AnyConnect to Send Flow Data

Most companies have a VPN set up to allow users remote access to the company network, but that leaves a blind spot on the network—until now.

What Is Cisco AnyConnect?

AnyConnect is a secure VPN client from Cisco and is hailed as the next-generation VPN client. While a lot of VPN clients only provide endpoint VPN access, the AnyConnect Secure Mobility Client provides a number of modules that allow users and businesses to do more. What also makes AnyConnect special is that it has utilities that help with security regarding who is connecting and how they’re connecting; you can read about these modules here. This is great and can put some worries at ease, but there is still the question of visibility.

So What Would We Be Able to See?

Depending on the device and monitoring points, normally we can only see the start and end points of VPN tunnels. That leaves a huge hole in the middle. Even if we can see the connection information, we are lacking some useful details.

What if we could see the username, source, DNS suffix, and even the OS of the device the user is connecting from? Well, thanks to AnyConnect and Cisco’s nvzFlow (IPFIX), we can! You can read more about this in this blog my colleague Justin wrote.

How Do We Get Flows to a Collector?

First, there are some requirements that we need to meet.

You will need Cisco AnyConnect 4.2.0 or higher, an AnyConnect APEX license, and ASDM 7.5.1 or higher. Then we can move onto the fun stuff.

One thing to note is that the AnyConnect configuration is saved in an XML file that contains information about the collector IP address and port number. These need to be correctly configured on the NVM client profile. For correct operation of the NVM module, the XML file must be placed in the following directory:

• For Windows 7 operating systems and later: %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\NVM
• For MAC OSX: /opt/cisco/anyconnect/nvm

If the profile is on your Cisco ASA/ISE, it will be automatically sent out along with the AnyConnect deployment. Here is an example of an XML profile from Cisco’s website:

<?xml version="1.0" encoding="UTF-8"?>
-<NVMProfile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NVMProfile.xsd">
-<CollectorConfiguration>
<CollectorIP>192.0.2.123</CollectorIP>
<Port>2055</Port>
</CollectorConfiguration>
<Anonymize>false</Anonymize>
<CollectionMode>all</CollectionMode>
</NVMProfile>

The NVM profile can also be created using the Cisco ASDM or the AnyConnect profile editor. If you’d like a walkthrough on setting the profile up through ASDM or ISE, you can follow this Cisco guide. It explains how to send flows to Splunk, but the principle is the same.

Important: If you finish your configuration here, each end user will show up in Scrutinizer as its own exporter. As you can imagine, if you have hundreds or thousands of VPN users, this will quickly become a huge problem.

To prevent this, you can use our Replicator. Create a profile and edit it to send all exporters (or in this case, end users) going to the Replicator to Scrutinizer as the IP of the collector. For example, say the IP of my Replicator is 10.1.3.86. I would configure my XML profile to send nvzFlows to 10.1.3.86 on port 2055. Once I see the flows in my Replicator, I would point them to a profile and ensure that the profile is set to send flows from the 10.1.3.86 IP. That way I don’t have hundreds of singular IP addresses.

Hooray for Flows!

Congratulations! Now you have context rich data on your VPN users! If you’d like to give Scrutinizer or even our Replicator a try, hop over to our download page. You can also reach out if you need help getting the configuration set for your Cisco AnyConnect clients.