A customer of mine is using ASA CX together with CDA to extract the user-to-IP address mappings. The interaction between CX and CDA is configured and works properly, yet the policies will sometimes not work as intended. We then figured out that CDA will switch the user-to-IP mapping randomly and for varying periods for the same machine/IP. This happens even though the user has not logged out of his Windows desktop and has been using his PC normally.

We suspect that this could be related to software distribution services and other processes running in the background that are logging into AD from the same user PC. Specifically, we've seen up to three users alternating for a single IP, one of which is only being used by the software distribution application running on the client machine.

Can anybody say if this is an unintended behaviour of CDA or if one has to expect this as soon as there are other processes logging into AD from the same user PC? Is there a way to tune this, or any kind of best practice resulting in the CDA to always and only extract the correct user login for the mapping? I couldn't find much technical details on how the users are being extracted on AD other than CDA reading security event logs.

I need to solve this, otherwise the CX will be unusable and the customer will replace it with a different product.

Thanks, Toni