Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12473
Views
0
Helpful
8
Replies

DCOM error 10028 - Sourcefire User Agent

Go to solution
aoun.ameur1
Level 1
Level 1

‎03-16-2016 08:17 AM - edited ‎03-12-2019 05:56 AM

Hi all

I have a DCOM error in Event viewer linked to sourcefire user agent. It shows that "DCOM was unable to communicate with the computer x.x.x.x using any of the configured protocols". The reference of the error is 10028.

In sourcefire user agent log TAB , it mentionned that : 

Is there any suggetsion to resolve this error please ?

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to aoun.ameur1

‎03-18-2016 04:18 AM

Hi

Which version of firepower you are using ? 6.0 or 5.4

If 6.0 ,you would have an option to download the users so they show up in ACP.

Or may be user agent mapping needs to be refreshed by restarting some services in DC.

Thanks

Yogesh

View solution in original post

0 Helpful
8 Replies 8

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎03-17-2016 08:34 AM

Hi

The message refers to the useragent unable to establish connection and the computer ip is reported. Generally this error occur if the devices being polled are not Windows device.  If its windows machine, possible causes is something blocking the DCOM polling. 

 

 You can follow this article to grant minimum permission and then check.

Let me know if it helps.

Thanks

Yogesh

0 Helpful

Go to solution
aoun.ameur1
Level 1
Level 1
In response to yogdhanu

‎03-18-2016 03:56 AM

Thank's for reply yogdhanu.

By following the Grant permission article from cisco.com, the problem was resolved and from logs i no longer see the error . It indicate now "Reported heartbeat from ::1, X.X.X.X to Y.Y.Y.Y."

But, i catched another problem which that the list of users and groups from Users TAB, under Access control Menu, is not up to date, there is many users  missing and the access control policy is not applied for present users in the list, when configuring for example an url filtering policy by users.

Hope that I can found a member who had this same problem and can resolve it.


Regards

0 Helpful

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to aoun.ameur1

‎03-18-2016 04:18 AM

Hi

Which version of firepower you are using ? 6.0 or 5.4

If 6.0 ,you would have an option to download the users so they show up in ACP.

Or may be user agent mapping needs to be refreshed by restarting some services in DC.

Thanks

Yogesh

0 Helpful

Go to solution
aoun.ameur1
Level 1
Level 1
In response to yogdhanu

‎03-18-2016 06:55 AM

Hi,

I have 5.3.1-6 version, is it required to upgrade or no ?

Thanks

0 Helpful

Go to solution
peter.atea
Level 1
Level 1

‎08-31-2016 07:13 AM

Hi!

I'm experience similar problem but we don't have any problems with the Cisco Firepower User Agent.
But the event viewer is filled with DCOM Event ID 10028 events:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          2016-08-31 15:13:19
Event ID:      10009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC01.domain.com
Description:
DCOM was unable to communicate with the computer 10.10.10.21 using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-31T13:13:19.000000000Z" />
    <EventRecordID>2717024</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DC01.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">10.10.10.21</Data>
    <Binary>3C5265636F7264233....</Binary>
  </EventData>
</Event>

The agent is installed on two DCs, one 20012r2 and one 2008r2, both experience the same problems.

I have checked the firewall settings on the DCs and they seems to be correct according to Microsofts "Setting up a Remote WMI Connection".

Tested the "Grant Minimum Permission to an Active Directory.."  troubleshoot but i it did not help, Think this helps if you experince problems with the agent log.

I can connect to some of the clients in the event log (ping and \\IP-address\c$) but not all.

Any ideas how to solve this event errors?

Preview file
129 KB
0 Helpful

Go to solution
daniel.cook1
Level 1
Level 1
In response to peter.atea

‎03-14-2017 08:45 AM

I am also having the same thing happen. No issues other than event view log filling up with the same error message.

Has anyone found a fix for this?

0 Helpful

Go to solution
ahk000002
Level 1
Level 1
In response to daniel.cook1

‎03-29-2017 04:52 AM

Hi Daniel

I have the exact same issue as you with only the event log of the server is filling up. I haven't found the cause yet. 

Have you in the last 15 days managed to find the cause?

Regards 

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to ahk000002

‎08-20-2018 03:45 PM

I'm having the same issue now as well.  What was your resolution?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card