Solved: FirePower User Agent v2.3 build 10

Gabrielm1 · ‎05-01-2019

My User agent failed a week or so ago and had to move it off of our Domain Controller.

I am currently running Cisco Firepower Management Center for VMWare version 6.2.3.12. I installed the user agent on a 2012 r2 server. I have a connection with my Active Directory server and I can see user events in the agent log tab:

[2329] - Real Time Event Received - 5/1/2019 7:54:44 AM,AbcdefG,xxx.xxx.xxx.xxx,interactive

I have configured the IP of the server that is running the agent in the FMC - System - Integration - Identity Sources - User Agent and the FMC Health Monitor is showing green status on the user agent status monitor.

When I add the FMC IP address or the DNS name I get an unavailable status. I checked the communication between the user agent and the FMC and it shows connectivity via port 3306:

23:11:10.442517 IP xxx.org.50095 > xxx.org.3306: Flags [.], ack 1, win 513, length 0

Looking at the logs from the user agent I get this error:

[2201] - Report login information from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx failed after 5/1/2019 7:45:04 AM. [The host xxx.xxx.xxx.xxx does not support SSL connections.].

Is there an SSL configuration on the FMC that I am missing that allows the user agent and FMC to transfer user activity to the FMC?

Has there been a change in the FMC versions that made the Active Directory User Activity require an SSL connection?

Thanks for any assistance regarding this problem.

Gabrielm1 · ‎05-23-2019

Looks like I'm dealing with 2 issues. User agent is working fine now. The problem I'm having is importing my CA cert. Looks like the only answer is have TAC take a look at it.

Thanks for everyone's help...

View solution in original post

Gabrielm1 · ‎06-10-2019

Thanks for everyone's help. I was able to Import our latest CA Cert. Good for 2 years ;) I've added a work plan I created to rinse and repeat in 2021.

Thanks again

View solution in original post

Marvin Rhoads · ‎05-01-2019

Have you checked the certificate and its expiry status on your FMC?

Gabrielm1 · ‎05-02-2019

It has a self signed cert good till 2038...

Current HTTPS Server Certificate
Subject
commonName
firepower

countryName
US

organizationName
Cisco Systems, Inc

organizationalUnitName
Intrusion Management System
Issuer
commonName
firepower

countryName
US

organizationName
Cisco Systems, Inc

organizationalUnitName
Intrusion Management System
Validity
Not Before
May 8 17:35:46 2018 GMT

Not After
May 8 17:35:46 2038 GMT
Version 3
Serial Number XXXXXXXXXXXXXXXXX
Signature Algorithm sha256WithRSAEncryption

Thanks, at least I have something to look into...

Jon Major · ‎05-22-2019

I literally just got this exact same issue resolved. To confirm you're hitting bug CSCvo83842 run the following from the FMC's CLI.

mysql -uroot -padmin

mysql> show variables like '%ssl';

If you get:

+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | NO |
| have_ssl | NO |
+---------------+-------+
2 rows in set (0.00 sec)

Then you're impacted by that bug, simple resolution though. All I did was upgrade to 6.2.3.13 and it was resolved.

Gabrielm1 · ‎05-23-2019

This is my response from the command.

Gabrielm1 · ‎05-23-2019

the attached file is the error I get when I import the cert. What are the commands to import from CLI?

Jon Major · ‎05-23-2019

Yikes, and the UA is still giving you SSL errors in the logs? FYI there is
a new UA out, v2.4. Might be worth giving that a shot as well.

Gabrielm1 · ‎05-23-2019

Looks like I'm dealing with 2 issues. User agent is working fine now. The problem I'm having is importing my CA cert. Looks like the only answer is have TAC take a look at it.

Thanks for everyone's help...

Marvin Rhoads · ‎05-23-2019

@Jon Major Thanks for the heads up on Version 2.4.

There are no release notes just yet; but I see in the configuration guide that it is recommended for FMC 6.2.3 or later:

https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/Intro.html

Jon Major · ‎05-24-2019

Yeah, I just caught it randomly as I was downloading the UA for an
unrelated task. I normally pause to appreciate Cisco hasn't bothered
updating this since 2015 and when I say 'May 2019' I got super excited lol.
It looks exactly the same, seems to function the same. At the end of the
day, I'm sure they would still rather you use ISE with PxGrid lol.

Gabrielm1 · ‎05-24-2019

UA 2.2 is working, I was running 2.4 and was not connecting to my FMC so I backed up to 2.2. Of course that didn't help because the issue was with the version of FMC. Once I upgraded to the latest FMC it started communicating. Services are back up.

Now I have to resolve my https cert import. Never ending. Job security right?

Jon Major · ‎05-24-2019

All of the job security :-).

For HTTPS cert, is that for the FMC management UI or are you looking to
import an Identity Cert for the FTD (for AnyConnect)?

Gabrielm1 · ‎05-24-2019

It's just for GUI management of FMC. Was able to update 10 other servers, but FMC is throwing a fit...

Marvin Rhoads · ‎05-24-2019

The "Basic constraints..." error usually has to do with the certificate template used by the issuing CA. Is this from an internal CA?

Gabrielm1 · ‎05-28-2019

Yes, it's an internal CA signed by digicert.

You have documentation on how to create the template for the CA to import the cert into the FMC without the contraint error?