Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3875
Views
20
Helpful
5
Replies

User Agent on Windows 2016

Go to solution
Nandan Mathure
Level 1
Level 1

‎03-22-2018 09:37 PM - edited ‎02-21-2020 07:33 AM

Hi !

 

I have a error when connecting to AD Server Windows 2016. I have followed all the steps in "https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html" but still get this error "unable to reach security logs on x.x.x.x"

 

Adding image to get better understanding of the issue.  I read somewhere in the forum that although cisco doesnt support windows 2016, some users were able to deploy it on windows 2016 server. Kindly share your thoughts about how I can overcome this issue.

 

Thanks,

Nandan

 

unable to read the security logs1.png

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎03-23-2018 12:04 AM

Hi Nandan,

 

I have seen implementation where Windows 2016 does work with user agent. Although there is no official doc which says its not.

For the issue you have, I would suggest following.

For just a test, add a user with domain admin privilege and check if that works. If that does, issue is with user privilege.

Check if there are indeed logon events on AD with event ID 4624. If not, you would need to check audit log policy at group/AD level.

You can also enable debug mode in user agent logging which can give more details about the errors if any on the agent itself.

 

Another way would be to go to event viewer on the same PC/Server where you are installing agent. Use connect to another computer option and use the same credentials and check if you can read security logs (event id 4624 and 4634)

Another thing to keep in mind is if you have the agent on the server 2016 which has AD as well, you cannot use a IP address there. Instead "localhost" needs to be used.

 

Hope it helps,

Yogesh

 

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to yogdhanu

‎03-23-2018 12:25 AM

I have it working on my Server 2016. 

 

Like @yogdhanu said, you definitely need to use localhost if you're running it on the DC itself. That's a WMI limitation, not user agent per se.

View solution in original post

5 Replies 5

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎03-23-2018 12:04 AM

Hi Nandan,

 

I have seen implementation where Windows 2016 does work with user agent. Although there is no official doc which says its not.

For the issue you have, I would suggest following.

For just a test, add a user with domain admin privilege and check if that works. If that does, issue is with user privilege.

Check if there are indeed logon events on AD with event ID 4624. If not, you would need to check audit log policy at group/AD level.

You can also enable debug mode in user agent logging which can give more details about the errors if any on the agent itself.

 

Another way would be to go to event viewer on the same PC/Server where you are installing agent. Use connect to another computer option and use the same credentials and check if you can read security logs (event id 4624 and 4634)

Another thing to keep in mind is if you have the agent on the server 2016 which has AD as well, you cannot use a IP address there. Instead "localhost" needs to be used.

 

Hope it helps,

Yogesh

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to yogdhanu

‎03-23-2018 12:25 AM

I have it working on my Server 2016. 

 

Like @yogdhanu said, you definitely need to use localhost if you're running it on the DC itself. That's a WMI limitation, not user agent per se.

Go to solution
Nandan Mathure
Level 1
Level 1
In response to Marvin Rhoads

‎03-25-2018 05:37 AM - edited ‎03-25-2018 05:42 AM

Thanks Yogesh and Marvin :)

 Adding "localhost" instead of the IP address helped.

 

But now i am stuck at "pending state" . I have also disabled the DC windows firewall but still it didnt help.

 

Any suggestions?

PS: Screenshot was captured when another changes were unsaved. I did save the changes and still 1 day after i am on pending state both for AD as well as FMC. 

User Agent AD Pending.PNG

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nandan Mathure

‎03-25-2018 05:49 AM

Have you installed both components - the User Agent and the SQL Express bit?

 

What domain user account are you using? If it's other than a domain admin user, have you tested it as a WMI user as indicated in the setup guide?

 

https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/ConfigAgent.html#45466

 

There is also a troubleshooting tool in the installation directory. It's "tools.exe". Launch iot and check the various tabs to get some insight into what bit might be broken.

Go to solution
Nandan Mathure
Level 1
Level 1
In response to Marvin Rhoads

‎03-25-2018 08:46 AM - edited ‎03-25-2018 11:16 PM

User Agent and SQL has been installed. Also user is from AD DC Admin group.

Ok . let me check tools.exe and I will get back with the results.

 

Thanks,

Nandan Mathure

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card