I had the same problem but it

nathan.ollis · ‎02-03-2015

Having problems with the user agent/AD integration. I have installed the user agent on a Windows 2008 box, it seems to be communicating with the DC servers fine. When going from the agent to the DC is where it seems the problem is. I added the IP on the DC, added the DC on the agent...get nothing. I can telnet to port 3306 on the DC from the user agent machine fine and get the Got packets out of order message like is said in the troubleshooting guide.

Any suggestions? I turned on debugging and logging on the agent and there are no errors listed and it says start DC chk, end DC chk...

nathan.ollis · ‎02-03-2015

So I figured out that it does actually connect to the DC...just no users populate. Now on to figuring that out...from the logs it looks like the agent is actually only polling the DC and User Agent.

Marvin Rhoads · ‎02-07-2015

I'm seeing the same issue.

I'll be interested to hear if you're able to resolve it.

nathan.ollis · ‎02-10-2015

I am getting no where. Sourcefire tech support has went around in circles, asking me to check the configuration guides. The thing about it is, I can try a domain admin account and it still not work...which that is the majority of the guide. The tech agreed that there is no reason for it not to work with a domain admin account...on third day waiting for a response now.

The first thing I found was that we did not have logon event auditing enabled. I really thought that was the issue...

Eduardo Ferreira Fernandez · ‎02-10-2015

I had the same problem and unfortunately didnt find the answer , i installed in a win 2012 and its working now,

nathan.ollis · ‎02-10-2015

We actually have 2012 on one box, still got nothing from it. Did you install the client on the DC itself? I am trying to go from a Server 2008 box with the UA, connecting to the DC remotely.

Scott Cater · ‎02-18-2015

Hi ,

Not sure if this helps but there is a known bug with v2.2.18 of the UA software which doesn't populate events unless the Date format is set to US Locale on the Domain Controller. I've seen it where events aren't logged at all, or events are generated but only on the first 12 days of the month (I assume theres an issue with the logic on the parser for the logs, once you hit the 13th it bugs out - UK Locale anyway, depends on your date format)

Info here:

If you use the dd/mm/yyyy date format on your Microsoft Active Directory (AD) server, the system sets the Active Directory server status to pending and fails to generate events. As a workaround, use the mm/dd/yyyy format on your AD server. (137315)

Other common issues are as you have correctly stated. Ensure the relevant Windows EventIDs for logon/logoff events are generated in the Windows security event logs.

Also if the agent and DC/FSM are seperated by a NAT device, you need 2 entries in the User Agents section on the DC/FSM. One for the Pre-NAT address and one for the Post-NAT Address.

Thanks,

nathan.ollis · ‎07-15-2015

Do not know if you finally got yours to work. Ours was an auditing problem on the Domain Controller. If you do not have to log logon and logoff events on all of your DCs...it will not work.

Hopefully you are good by now though...

ecornwell · ‎02-10-2015

I had the same problem but it started working over the weekend. I have the agent installed on a app server and it reports that things are working connecting to our AD Servers and to Firesight.

Go to analysis -> users -> User Activity. I think I was getting data there but it wasn't matching. I watched a couple videos from http://www.labminutes.com/video/sec/ASA%20FirePower and configured some of the access rules to process more data then all my charts started populating.

User Agent (DC 5.3, Agent 2.2)