Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
0
Helpful
8
Replies

ASA Firepower ignore users groups in Access Control Policy

tank28m45
Level 1
Level 1

‎02-23-2017 01:06 AM - edited ‎03-12-2019 06:18 AM

Hello,

   We use ASA 5516-X with FirePower Services.

FirePower services version - 6.2.0 with 6.2.0.1-10 patch installed.

ASDM - 7.7.1

ASA  - 9.7.1

We use passive authentication with active authentication like fallback with Active Directory realm.

FirePower successfully download users and groups from Active Directory.  Foresight agent for Active Directory v 2.3-10 installed and work properly.

All users successfully authenticated. 

But: If we create access rule with Active Directory group it work some time. ~30 min.And that simple ignore users membership.

If I re-download users and group from Active Directory in realm config, it again work some time.

If we create access rule with Active Directory users directly it work always.

Need help.

P.S.

Domain NETBIOS name differ than name like domain.com

2 people had this problem
Labels:
0 Helpful
8 Replies 8

Hugo Caye
Level 1
Level 1

‎02-23-2017 04:31 AM

Hi there,

I have exactly the same problem, ASA-5515X and ASA-5506X.

FirePOWER v6.1.x did not have this malfunction.

It seems that if in the "User Download" tab the "Repeat Every" is changed to e.g. 12 or 24 h, it takes more time to ignore the group membership. Looking at the syslog messages and comparing with previous FP versions no LDAP related entries can be found in the FPT v6.2.

Realms recreatedm old ones deleted, same misbehaviour.

Also need help.

TIA

0 Helpful

tank28m45
Level 1
Level 1
In response to Hugo Caye

‎02-25-2017 03:29 AM

Hi,

Confirm. 

With the same config  6.1.0.2 version work properly.

I think this is 6.2.0.1 version bug.

0 Helpful

Hugo Caye
Level 1
Level 1
In response to tank28m45

‎03-08-2017 01:31 PM

Hi there,

Please look at this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb69906

It seems that this bug was corrected, "Status: Fixed", Feb/27.

Do you know if there is a patch available or do we have to wait for a new FirePOWER code version?

Regards,

0 Helpful

tank28m45
Level 1
Level 1
In response to Hugo Caye

‎03-28-2017 03:29 AM

Hello,

Yes.  I have trouble exactly like  CSCvb69906.

This is not fixed in 6.2.0 and 6.2.0.1

0 Helpful

Hugo Caye
Level 1
Level 1
In response to tank28m45

‎04-04-2017 05:59 AM

Hi there,


I openned a TAC case and after some weeks the engineer accessed our FP, edited a file and this solved the problem. It was last week and since now we did not see the problem again.


He told that this fix will be included in a new v6.2 build to be released in the first days in May.


I did the same procedure in other two FP modules and it worked.


Regards,

Hugo

0 Helpful

tank28m45
Level 1
Level 1
In response to Hugo Caye

‎04-04-2017 07:25 AM

Hello,

Can You provide what do You do?

Regards,

Pavel.

0 Helpful

Hugo Caye
Level 1
Level 1
In response to tank28m45

‎04-04-2017 08:00 AM

Pavel, I think that I'm not authorized to publish here what he did.

Can you please search at Google by "hugo caye micmac" and send an email message to me?

Tks,

0 Helpful

Jose Carlos Sm de Lima
Level 1
Level 1
In response to Hugo Caye

‎05-04-2017 03:28 PM

Hi Hugo, how are you?

Please, can you share it with me? I send an e-mail to you.

Cya.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card