Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
5
Replies

Cisco FMC LDAP users and group synchronisation problem.

it-infrastructure-team
Level 1
Level 1

‎03-25-2025 07:44 AM

Hi colleagues, 
I've encountered the following situation  -  the system shows the following warning messages for rules in ACpolicy:

itinfrastructureteam_1-1742913129080.png

itinfrastructureteam_0-1742913073888.png

Our scheme in general.
We have an FMCv is deployed in the DC, which controls 2 FTD devices (FPR 3140). 
An Identity Policy and an Access Control Policy are configured for every FTD devices

The Access Control Policy relies not only on Source and Destination IPs, but also on the User Group for which the rule is to be used.

itinfrastructureteam_2-1742913494130.png

In other words, we use 2 different Realms, each with its own Groups and Users. 
However, we do not use all Groups and Users for verification, but only the necessary ones.

What could be the problem and how can it be solved ?
Maybe someone has encountered it ?

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-25-2025 08:27 AM

Have you included the groups in question in your realm synchronization settings?

0 Helpful

it-infrastructure-team
Level 1
Level 1
In response to Marvin Rhoads

‎03-25-2025 09:15 AM

Hi @Marvin Rhoads 
Yes, I have added only specific Groups and Users for every Realm only to “Included Groups and Users” and have not added any groups or Users to “Excluded Groups and Users”.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to it-infrastructure-team

‎03-26-2025 09:54 AM

Since you appeared to have done all the basic configuration bits properly, it may be you are hitting a bug.

Short of opening a TAC case, the only other thing I might try would be to remove and re-add the realm integration/

0 Helpful

it-infrastructure-team
Level 1
Level 1
In response to Marvin Rhoads

‎03-27-2025 07:10 AM

@Marvin Rhoads 
Maybe you how to get a list of Groups and Users from FMC and FTD by API ?
Perhaps it helps me to more clearly uderstand my situation.

0 Helpful

it-infrastructure-team
Level 1
Level 1

‎03-25-2025 09:20 AM

And currently I've trying to troubleshoot the Users and Goups synchronisation by  this Cisco guide:
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2590.pdf
I was found that the file /var/sf/user_enforcement/ugm_snapshot.0 contains the Groups which we previoulsy excluded from the synchronisation. And the file not holds the Groups which we realy using... 
Seems strange ...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card