Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2858
Views
0
Helpful
4
Replies

Firepower User Agent not reporting user logins

Jon Major
Level 1
Level 1

‎10-06-2016 07:40 PM - edited ‎03-12-2019 06:09 AM

I've been fighting this issue for a couple days now, and not sure exactly what's going on. Here's a quick run down:

  • Windows Server 2012 R2 (Domain Controller, running FP User Agent 2.3 local)
  • Firepower Management Center 6.0.1.2
  • ASA 5506-X w/ Firepower Services 6.0.0.1

Domain controller/UA are on the same subnet as the management center, windows firewall is turned off. When I add my Active Directory server in, it connects successfully and turns green, however "Last Real-Time Report" never populates. When I add Firepower management center in, it also turns green. Though "Last Reported" also never populates. I've seen numerous successful audits for login in the windows security log on the domain controller, however the management center never shows any user activity or any users learned. I've tried running through the configuration guide several times for the UA, tried using even a domain admin account, nothing. Any advice is welcome.

1 person had this problem
Labels:
Preview file
57 KB
Preview file
67 KB
0 Helpful
4 Replies 4

Oliver Kaiser
Level 7
Level 7

‎10-08-2016 12:40 PM

Have you configured a Realm on FMC? You have to configure a Realm and Sync your Users/Groups.

Please let us know your settings on FMC to further troubleshoot this. In case the configuration is correct you can run the ADI (user identity) process on FMC in debug mode to gather more data on the issue and see if the agent reports data.

0 Helpful

Jon Major
Level 1
Level 1
In response to Oliver Kaiser

‎10-09-2016 08:35 AM

Realm was/is configured, and user download working. 

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Jon Major

‎10-09-2016 08:46 AM

Ok, lets try to gather some data on the issue and run the ADI process in debug mode. You need to disable the process and run it with a debug flag. Since you need to restart the process all user-identity related features wont work as long as the service is down.

1. Change to root on FMC

sudo su -

2. Check if adi process is running

ps ax | grep adi

3. Disable adi process (if you only kill it, it will be automatically restarted, always use pmtool)

/usr/local/sf/bin/pmtool DisableByID adi

4. Check if adi process is not running anymore

ps ax | grep adi

5. Start adi process with debug flag and pipe output to tmp dir

nohup /usr/local/sf/bin/adi --debug > /var/tmp/adi-debug.log 2>&1 &

6. Generate logon/logoff events that should be published from AD to FMC and make sure User Agent is still connected to FMC.

When your tests are done kill the process again and enable it using pmtool

1. Find PID

ps ax | grep adi

2. Kill ADI process

kill -9 <PID>

3. Enable adi using pmtool

pmtool EnableById adi

4. Make sure adi is running again

ps ax | grep adi

If you need help analyzing the log output or got questions about the procedure let me know.

0 Helpful

HHRJB91360
Level 1
Level 1
In response to Oliver Kaiser

‎03-27-2018 03:51 PM

I gathered the info but it wasn't immediately clear what might be wrong.

Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card