topic Firepower User Agent not reporting user logins in Network Security

Firepower User Agent not reporting user logins

Jon Major — Tue, 12 Mar 2019 13:09:11 GMT

I've been fighting this issue for a couple days now, and not sure exactly what's going on. Here's a quick run down:

Windows Server 2012 R2 (Domain Controller, running FP User Agent 2.3 local)
Firepower Management Center 6.0.1.2
ASA 5506-X w/ Firepower Services 6.0.0.1

Domain controller/UA are on the same subnet as the management center, windows firewall is turned off. When I add my Active Directory server in, it connects successfully and turns green, however "Last Real-Time Report" never populates. When I add Firepower management center in, it also turns green. Though "Last Reported" also never populates. I've seen numerous successful audits for login in the windows security log on the domain controller, however the management center never shows any user activity or any users learned. I've tried running through the configuration guide several times for the UA, tried using even a domain admin account, nothing. Any advice is welcome.

Have you configured a Realm

Oliver Kaiser — Sat, 08 Oct 2016 19:40:35 GMT

Have you configured a Realm on FMC? You have to configure a Realm and Sync your Users/Groups.

Please let us know your settings on FMC to further troubleshoot this. In case the configuration is correct you can run the ADI (user identity) process on FMC in debug mode to gather more data on the issue and see if the agent reports data.

Realm was/is configured, and

Jon Major — Sun, 09 Oct 2016 15:35:06 GMT

Realm was/is configured, and user download working.

Ok, lets try to gather some

Oliver Kaiser — Sun, 09 Oct 2016 15:46:34 GMT

Ok, lets try to gather some data on the issue and run the ADI process in debug mode. You need to disable the process and run it with a debug flag. Since you need to restart the process all user-identity related features wont work as long as the service is down.

1. Change to root on FMC

sudo su -

2. Check if adi process is running

ps ax | grep adi

3. Disable adi process (if you only kill it, it will be automatically restarted, always use pmtool)

/usr/local/sf/bin/pmtool DisableByID adi

4. Check if adi process is not running anymore

ps ax | grep adi

5. Start adi process with debug flag and pipe output to tmp dir

nohup /usr/local/sf/bin/adi --debug > /var/tmp/adi-debug.log 2>&1 &

6. Generate logon/logoff events that should be published from AD to FMC and make sure User Agent is still connected to FMC.

When your tests are done kill the process again and enable it using pmtool

1. Find PID

ps ax | grep adi

2. Kill ADI process

kill -9 <PID>

3. Enable adi using pmtool

pmtool EnableById adi

4. Make sure adi is running again

ps ax | grep adi

If you need help analyzing the log output or got questions about the procedure let me know.

Re: Ok, lets try to gather some

HHRJB91360 — Tue, 27 Mar 2018 22:51:59 GMT

I gathered the info but it wasn't immediately clear what might be wrong.