Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29863
Views
15
Helpful
42
Replies

Install Cisco Firepower User Agent for Active Directory.

Go to solution
n.avramenko87
Level 1
Level 1

‎07-06-2016 05:39 AM - edited ‎03-12-2019 06:03 AM

OO!Hello! Have one problem! Install this agent on active directory. (Service working with domain - admin rules) 

In FireSight:

In Policy -- Users add FirePowerAgent (it found active directory -all good!)  and  User Agent (here i check ip address of AD server).

In Firepower User Agent for Active Directory:

In Cisco Firepower User Agent for Active Directory I added host (server AD) - all good it has status - available. 

In FP managment center I added FireSight. But after few minutes its state became unavailable.

I have log:  Unable to report heartbeat to 192.168.0.100. - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"

But i see that all devices are available. What it is mean? Thank you!!!

Labels:
Preview file
16 KB
Preview file
8 KB
Preview file
11 KB
0 Helpful
42 Replies 42

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to hicham_chaaya

‎09-14-2016 04:34 AM

Hello Team,

Try the following solution:-

Delete UserAgentEncryptionBytes.bin

Enable the Cisco User Agent Service to run as a different user:

 Open the Service console

Start > Run > services.msc (or through Administrative Tools)

Right Click and Choose Properties for Cisco Firpower User Agent

Select Log On tab

Specify a known accont with proper rights to run the service

 

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

 

 

 

Appl and Start the Service 

Verify the C:\UserAgentEncryptionBytes.bin is recreated and has a size greater than 0

If you need any assistance on performing this , you have to open a service request with the TAC.

Rate and mark correct if the post helps you

Regards

Jetsy 

Go to solution
hicham_chaaya
Level 1
Level 1
In response to Jetsy Mathew

‎09-14-2016 04:49 AM

lovely! that worked well :)

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to hicham_chaaya

‎09-14-2016 04:56 AM

Hello Hicham,

Glad to know that our posts helps you :-)

Feel free to write to support forums..

Rate and mark correct the helpful posts

Regards

Jetsy 

0 Helpful

Go to solution
hicham_chaaya
Level 1
Level 1
In response to Jetsy Mathew

‎09-15-2016 03:50 AM

Hey Again,

I'm facing a new problem now where all the Users Initiators are "unknown"

I tried to add in access policy>users the entire realm "realm/*" but there was a warning that says:

  • Realms are not supported on one or more of the targeted devices

All the realms seems to work fine and I can see the users getting pulled but am sure that i'm missing something.

Hope you can help.

Cheers

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to hicham_chaaya

‎09-15-2016 04:56 AM

Hello Hicham,

What is the software version of the Firepower module and Firesight involved here ?

For this issue you may need to open a TAC request as this involves several steps to check and especially we need to check the database part.

Regards

Jetsy 

0 Helpful

Go to solution
hicham_chaaya
Level 1
Level 1
In response to Jetsy Mathew

‎09-15-2016 05:12 AM

Hi Jetsy,

FMC is 6.0.1 (build 1213) 

ASA5516 ver 5.4.1

This is a bit more complicated than expected.

Maybe I need to open a TAC request by now.

Regards,

0 Helpful

Go to solution
hicham_chaaya
Level 1
Level 1
In response to hicham_chaaya

‎09-20-2016 05:44 AM

Hi guys,

I thought this needs to be shared.

I opened a TAC with Cisco and their reply was:

"User agent must be registered/connected to all of the AD servers" << that means if you have 400 Active Directory servers World Wide you need them all to be listed in the User Agent server, which honestly don't make any sense.

Did anyone faced this before?

Regards,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hicham_chaaya

‎09-20-2016 06:17 AM

Not exactly but each DC that processes user logon/logoff events has to have a User Agent pulling those logon events from it.

Since an AD domain does not centrally store all of those audit events how else would User Agent know about them?

A given User Agent does not have do be on a DC and can connect to up to 4 DCs (if I recall correctly). So you have to have  a ratio of 4:1 User agents to DCs.

0 Helpful

Go to solution
n.avramenko87
Level 1
Level 1
In response to hicham_chaaya

‎09-22-2016 07:09 AM

"User agent must be registered/connected to all of the AD servers" << that means if you have 400 Active Directory servers World Wide you need them all to be listed in the User Agent server, which honestly don't make any sense.

I have one controller domain, but I did not  solve this problem.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jetsy Mathew

‎07-08-2016 03:20 AM

Jetsy - remember Techzone links are internal Cisco only.

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-08-2016 03:32 AM

Hello Marvin,

Article was external. Link given was different by mistake.

Here is the original link

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118738-configure-firesight-00.html

Corrected the post and given the correct one.

Thanks Marvin for your heads-up.

Regards

Jetsy 

0 Helpful

Go to solution
jeffrey.cheah
Level 1
Level 1

‎11-23-2016 03:45 PM

Hi,

I have the same issue and from debug log found the following:

24/11/2016 10:18 debug [2201] - Report login information from   localhost to 10.11.0.243 failed after 24/11/2016 9:20:11 AM. [A call to SSPI failed, see inner exception.].
24/11/2016 10:18 error [2201] - Report login information from   localhost to 10.11.0.243 failed after 24/11/2016 9:20:11 AM. [A call to SSPI failed, see inner exception.].

 

Solution 1:

Uninstall Microsoft updates KB3161606 and KB3161608 (do not forget to prevent it from reinstalling).

Solution 2:

  1. Edit the registry:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\
  2. Add the new Key name “Diffie-Hellman“
  3. Under the newly created Key, add the DWORD Value.
  4. Type "ClientMinKeyBitLength" for the name of the DWORD, and then press Enter.
  5. Right-click ClientMinKeyBitLength, and then click Modify.
  6. In the Value data box, type "200" in Hex, and then click OK.
  7. Restart Agent service and everything will start working again.
  8. Check authentication logs on FMC under Analysis > Users > User Activity.

Thanks.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-23-2016 05:48 PM

[@jeffrey.cheah]  ,

Thanks for sharing the solutions. I'm sure it will help other folks encountering the same issue.

I've had similar issues with not only SFUA but also with the old AD Agent and CDA utilities that similarly query AD for identity-IP mapping.

Long term, Cisco is moving to ISE for this functionality as it sits between the user and AD as the enforcer of network access control. For customers without a full ISE implementation, we hope to see a lightweight version that leverages the deeper rich integration that ISE's AD connector uses for passive identity collection only. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card