AD Sync not working properly

zstamm · ‎04-10-2023

I am having issues with a user based rule for an ACL. The rule should permit users to access certain URLs that are otherwise blocked. The rule does not currently permit users access as it should. This FMC was recently patched to Version 7.0.4 (Build 55), and was working before the patching. The device is a Firepower 1010 with FTD. There is a warning next to the rule stating "This rule contains a realm that has unresolved references. Please check realm > sync results to check what references were unresolved".

I check the realm sync results, and I see that there is an error stating "this realm contains references to user or groups in another domain that have not been synchronized." I do see the users that should be permitted listed in the users. FMC seems to be synchronizing with AD regularly, as I looked in the logs and found the message "Apr 09 2023 01:01:09 firepower ActionQueueScrape.pl: [SFAUDIT] firepower.<somename>.com: System@localhost, Task Queue, Successful task completion : Download users/groups from <SomeDC>".

What could be causing this? What else should I check?

Marius Gunnerud · ‎04-11-2023

Do you have a single domain or is there a trust / forest?

You might have seen this already, but have a look at this link and see the cross-domain trust section which results in the same or similar error you are receiving.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/identity-realms.html#reference_9F6035406C884E24949A7EDAE8B868A9

--
Please remember to select a correct answer and rate helpful posts