Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6100
Views
5
Helpful
18
Replies

FirePower User Agent v2.3 build 10

Go to solution
Gabrielm1
Level 1
Level 1

‎05-01-2019 09:55 AM

My User agent failed a week or so ago and had to move it off of our Domain Controller.

 

I am currently running Cisco Firepower Management Center for VMWare version 6.2.3.12.  I installed the user agent on a 2012 r2 server.  I have a connection with my Active Directory server and I can see user events in the agent log tab:

 

[2329] - Real Time Event Received - 5/1/2019 7:54:44 AM,AbcdefG,xxx.xxx.xxx.xxx,interactive

 

I have configured the IP of the server that is running the agent in the FMC - System - Integration - Identity Sources - User Agent and the FMC Health Monitor is showing green status on the user agent status monitor.

 

When I add the FMC IP address or the DNS name I get an unavailable status.  I checked the communication between the user agent and the FMC and it shows connectivity via port 3306:

 

23:11:10.442517 IP xxx.org.50095 > xxx.org.3306: Flags [.], ack 1, win 513, length 0

Looking at the logs from the user agent I get this error:

 

[2201] - Report login information from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx failed after 5/1/2019 7:45:04 AM. [The host xxx.xxx.xxx.xxx does not support SSL connections.].

 

Is there an SSL configuration on the FMC that I am missing that allows the user agent and FMC to transfer user activity to the FMC?

Has there been a change in the FMC versions that made the Active Directory User Activity require an SSL connection?

Thanks for any assistance regarding this problem.

Labels:
0 Helpful
18 Replies 18

Go to solution
Jon Major
Level 1
Level 1
In response to Gabrielm1

‎05-28-2019 08:40 AM

@Gabrielm1 wrote:

Yes, it's an internal CA signed by digicert.

 

You have documentation on how to create the template for the CA to import the cert into the FMC without the contraint error?

See my last reply with screenshots.

0 Helpful

Go to solution
Jon Major
Level 1
Level 1
In response to Gabrielm1

‎05-25-2019 09:32 AM - edited ‎05-28-2019 08:40 AM

Marvin's absolutely right (as Marvins are want to be). If you're using a Microsoft CA, I normally duplicate the Web Server template, update the compatibility, enable basic constraints, and mark it as critical. No doubt there is another way to do it, but that way seems to work fine. After that (and adding the new template to my CA to be issued) the FMC imports it just fine. Of note, the GUI doesn't seem to generate a CSR that includes SAN names, so I tend to use Digi Cert's CSR generation utility. 

 @Gabrielm1 

 

 

FMC_signed1.PNGFMC_signed2.PNG

Go to solution
Gabrielm1
Level 1
Level 1
In response to Jon Major

‎05-28-2019 09:12 AM

Got it, didn't see the second page of the thread.  Appreciate it...

0 Helpful

Go to solution
Gabrielm1
Level 1
Level 1
In response to Gabrielm1

‎06-10-2019 07:42 AM - edited ‎06-10-2019 07:48 AM

Thanks for everyone's help.  I was able to Import our latest CA Cert.  Good for 2 years ;)  I've added a work plan I created to rinse and repeat in 2021.

 

Thanks again

Preview file
471 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card