cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2559
Views
20
Helpful
5
Replies
Highlighted
Beginner

User Agent on Windows 2016

Hi !

 

I have a error when connecting to AD Server Windows 2016. I have followed all the steps in "https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html" but still get this error "unable to reach security logs on x.x.x.x"

 

Adding image to get better understanding of the issue.  I read somewhere in the forum that although cisco doesnt support windows 2016, some users were able to deploy it on windows 2016 server. Kindly share your thoughts about how I can overcome this issue.

 

Thanks,

Nandan

 

unable to read the security logs1.png

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Hi Nandan,

 

I have seen implementation where Windows 2016 does work with user agent. Although there is no official doc which says its not.

For the issue you have, I would suggest following.

For just a test, add a user with domain admin privilege and check if that works. If that does, issue is with user privilege.

Check if there are indeed logon events on AD with event ID 4624. If not, you would need to check audit log policy at group/AD level.

You can also enable debug mode in user agent logging which can give more details about the errors if any on the agent itself.

 

Another way would be to go to event viewer on the same PC/Server where you are installing agent. Use connect to another computer option and use the same credentials and check if you can read security logs (event id 4624 and 4634)

Another thing to keep in mind is if you have the agent on the server 2016 which has AD as well, you cannot use a IP address there. Instead "localhost" needs to be used.

 

Hope it helps,

Yogesh

 

View solution in original post

Highlighted

I have it working on my Server 2016. 

 

Like @yogdhanu said, you definitely need to use localhost if you're running it on the DC itself. That's a WMI limitation, not user agent per se.

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Hi Nandan,

 

I have seen implementation where Windows 2016 does work with user agent. Although there is no official doc which says its not.

For the issue you have, I would suggest following.

For just a test, add a user with domain admin privilege and check if that works. If that does, issue is with user privilege.

Check if there are indeed logon events on AD with event ID 4624. If not, you would need to check audit log policy at group/AD level.

You can also enable debug mode in user agent logging which can give more details about the errors if any on the agent itself.

 

Another way would be to go to event viewer on the same PC/Server where you are installing agent. Use connect to another computer option and use the same credentials and check if you can read security logs (event id 4624 and 4634)

Another thing to keep in mind is if you have the agent on the server 2016 which has AD as well, you cannot use a IP address there. Instead "localhost" needs to be used.

 

Hope it helps,

Yogesh

 

View solution in original post

Highlighted

I have it working on my Server 2016. 

 

Like @yogdhanu said, you definitely need to use localhost if you're running it on the DC itself. That's a WMI limitation, not user agent per se.

View solution in original post

Highlighted

Thanks Yogesh and Marvin :)

 Adding "localhost" instead of the IP address helped.

 

But now i am stuck at "pending state" . I have also disabled the DC windows firewall but still it didnt help.

 

Any suggestions?

PS: Screenshot was captured when another changes were unsaved. I did save the changes and still 1 day after i am on pending state both for AD as well as FMC. 

User Agent AD Pending.PNG

Highlighted

Have you installed both components - the User Agent and the SQL Express bit?

 

What domain user account are you using? If it's other than a domain admin user, have you tested it as a WMI user as indicated in the setup guide?

 

https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/ConfigAgent.html#45466

 

There is also a troubleshooting tool in the installation directory. It's "tools.exe". Launch iot and check the various tabs to get some insight into what bit might be broken.

Highlighted

User Agent and SQL has been installed. Also user is from AD DC Admin group.

Ok . let me check tools.exe and I will get back with the results.

 

Thanks,

Nandan Mathure

 

Content for Community-Ad