Solved: Install Cisco Firepower User Agent for Active Directory.

n.avramenko87 · ‎07-06-2016

OO!Hello! Have one problem! Install this agent on active directory. (Service working with domain - admin rules)

In FireSight:

In Policy -- Users add FirePowerAgent (it found active directory -all good!) and User Agent (here i check ip address of AD server).

In Firepower User Agent for Active Directory:

In Cisco Firepower User Agent for Active Directory I added host (server AD) - all good it has status - available.

In FP managment center I added FireSight. But after few minutes its state became unavailable.

I have log: Unable to report heartbeat to 192.168.0.100. - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"

But i see that all devices are available. What it is mean? Thank you!!!

jeffrey.cheah · ‎11-23-2016

Hi,

I have the same issue and from debug log found the following:

24/11/2016 10:18	debug	[2201] - Report login information from localhost to 10.11.0.243 failed after 24/11/2016 9:20:11 AM. [A call to SSPI failed, see inner exception.].
24/11/2016 10:18	error	[2201] - Report login information from localhost to 10.11.0.243 failed after 24/11/2016 9:20:11 AM. [A call to SSPI failed, see inner exception.].

Solution 1:

Uninstall Microsoft updates KB3161606 and KB3161608 (do not forget to prevent it from reinstalling).

Solution 2:

Edit the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\

Add the new Key name “Diffie-Hellman“
Under the newly created Key, add the DWORD Value.
Type "ClientMinKeyBitLength" for the name of the DWORD, and then press Enter.
Right-click ClientMinKeyBitLength, and then click Modify.
In the Value data box, type "200" in Hex, and then click OK.
Restart Agent service and everything will start working again.
Check authentication logs on FMC under Analysis > Users > User Activity.

Thanks.

View solution in original post

Jetsy Mathew · ‎07-06-2016

Hello Team,

Looks like from logs of the Cisco Firepower User Agent that the connectivity to the Firepower Management Center from the User Agent was inconsistent -- but sometimes working. I would advice in checking the network path between the FMC and the User Agent system to ensure that TCP port 3306 (to which the User Agent connects to the FMC) was not being blocked in any way.

Also recommended ensuring that the FMC was properly configured to accept connections from the User Agent.

Here is the user installation guide once again :-

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118131-technote-sourcefire-00.html

Please review the following link to make sure that the configurations has been properly done.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118738-configure-firesight-00.html

If you see the issue persist , kindly uninstall and install the user agent once again.

Rate if this post and answer helps you

Regards

Jetsy

n.avramenko87 · ‎07-06-2016

Thank you for your help!

I thought there are differences between Sourcefire User Agent monitors Microsoft Active Directory and User Agent.

Jetsy Mathew · ‎07-06-2016

Hello Team,

I hope everything is clear for you now.

Feel free to let me know if you have any questions.

Rate and mark correct if this posts and answers helps you

Regards

Jetsy

n.avramenko87 · ‎07-06-2016

I try to install version 2.2. Now I having another error in logs: Unable to report heartbeat to 192.168.0.100. - Unable to connect to any of the specified MySQL hosts."

Jetsy Mathew · ‎07-06-2016

Hello Team,

If you are reinstalling , please use the Sourcefire useragent version 2.3 which is more stable than 2.2. So please install the 2.3 Sourcefire useragent issue.

For the error , "Unable to connect to any of the specified MySQL hosts"

Clearly, this indicates that something is blocking the connection from the system where the User Agent is running to the Firepower Management Center. The User Agent system must have the ability to send traffic to the FMC to TCP port 3306. Additionally, the FMC needs to have the User Agent configured on it -- that is, within the user policy, the User Agent needs to be configured. This is how the FMC will know to allow incoming connections on TCP port 3306 from the system where the User Agent is running.

Rate if the post helps you

Regards

Jetsy

n.avramenko87 · ‎07-06-2016

OK! I will try! And tell you my result. Thank you!

Jetsy Mathew · ‎07-06-2016

Sure ...No worries

n.avramenko87 · ‎07-07-2016

I installed version 2.3. Now sensor is available few minutes only. And i have another error in logs:

An error occured while fetching encryption bytes from 'C:\UserAgentEncryptionBytes.bin': Specified key is not a valid size for this algorithm.."

I think may be problem with antivirus. I try to switch off it...

Jetsy Mathew · ‎07-07-2016

Hello Team,

Make sure that the user that you are using for handling the Useragent should have all the admin privileges. Preferably use administrator itself.

Try restarting Firepower useragent service using administrator and see the status if its continuosly available or not.

Also switch off the antivirus if its blocking the file.

Rate if the post helps you

Regards

Jetsy

n.avramenko87 · ‎07-07-2016

THANK YOU!ALL GOOD! Problem was with antivirus. How long does it take for agent to collect an information about users?

Jetsy Mathew · ‎07-07-2016

Hello,

Its based on the polling interval.

What you have set the polling interval time in AD ?

Regards

Jetsy

n.avramenko87 · ‎07-07-2016

I have 1 min for polling and 1 hour for MaxPolling.

Jetsy Mathew · ‎07-07-2016

Hello Team ,

Its fine as of now.

Regards

Jetsy

Jetsy Mathew · ‎07-07-2016

Hello ,

Does all your queries are clear ?

Regards

Jetsy