Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3315
Views
10
Helpful
4
Replies

Sourcefire 6.0 / FireSIGHT MC 6.0 - Users Not Populating

Go to solution
Keith Joel
Level 1
Level 1

‎02-02-2016 11:10 AM - edited ‎03-12-2019 05:53 AM

Edit: moved to Sourcefire category.

---

Hi All,

Wondering if somebody can lead me in the right direction here, I have a customer running Sourcefire 6.0 with the FireSIGHT MC and am having an issue with the IP to User mapping.  Under Analysis > Users > Users I don't have any records.  I've gone in and setup the "realm" under itnegration which tests out ok, and setup the user download which pulls down the groups so I know the linkage for the "realm" is there.  The tasks show LDAP synch with 2 groups and 293 Users successful.  Identity Policy was setup with passive authentication and the User Agent on the active directory system is installed and tested successfully.  I noticed the following in the syslogs stored locally (changed hostname and users) and I'm wondering if it has something to do with it?

Feb 02 2016 12:31:36 HOSTNAME SF-IMS[30127]: [30170] SFDataCorrelator:UserIdentity [WARN] Unable to find realm for user user1, domain XX
Feb 02 2016 12:31:35 HOSTNAME SF-IMS[30127]: [30172] SFDataCorrelator:UserIdentity [WARN] Unable to find realm for user user2, domain XX

Any other information required let me know.

Thanks,

Keith

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎02-03-2016 04:06 PM

Hi,

Check this : https://tools.cisco.com/bugsearch/bug/CSCux39125/?reffering_site=dumpcr

To get users correctly associating with their IP addresses, the fix is to change the "AD Primary Domain" field in the Realm configuration to the short name of the domain. This name is visible in the message found in /var/log/messages .

After changing this field, save the realm configuration and  make sure that user download continues to work as expected. 

 

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

4 Replies 4

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎02-03-2016 04:06 PM

Hi,

Check this : https://tools.cisco.com/bugsearch/bug/CSCux39125/?reffering_site=dumpcr

To get users correctly associating with their IP addresses, the fix is to change the "AD Primary Domain" field in the Realm configuration to the short name of the domain. This name is visible in the message found in /var/log/messages .

After changing this field, save the realm configuration and  make sure that user download continues to work as expected. 

 

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Go to solution
Keith Joel
Level 1
Level 1
In response to Aastha Bhardwaj

‎02-04-2016 12:21 PM

Bingo.  That did it, thanks so much.  

Given the bug is resolved in a future update, will the domain need to be changed back from the short name?

0 Helpful

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to Keith Joel

‎02-05-2016 09:43 AM

Hi,

Yes later if you upgrade the FMC to the version on which it is resolved you should be able to change the name back to what it was originally.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

Go to solution
Jarvis IT
Level 1
Level 1

‎02-17-2016 09:29 PM

Thankfully I stumbled across this today, I have had a SR open for a couple of weeks now after integrating ISE v1.4 and Source fire v6.0 through PXGrid. Once I changed this I started to see the users populate with a realm! Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card