11-28-2023 07:31 AM
FMC: v7.3.0 (build 69)
FTD 1120: v7.2.5
ISE-PIC: 3.2.0.542, Patch 4
We have a new integration between ISE-PIC and FMC that we are trying to use in policy. I can see some users are shown in the Unified Events, but many entries show as "Not Found".
For one of the users I am testing with, I see the username and IP in ISE-PIC. I also see the username and IP in FMC's Active Sessions page and the values match ISE. However, when I look at the Unified Event log and match on the source IP that user is bound to, the events show as "Not Found" as the source user. In the FMC Users page, I see the user with an Active Session Count of 1, but the Available For Policy column shows "no".
Several other users are showing correctly profiled in the Source User column of the Unified Events. When I cross reference these users to the FMC Users page, the Available For Policy column shows "yes". Not sure why FMC seems to have all the usernames and IPs, but can't use them all for policy.
12-12-2023 10:49 PM
It seems like there might be an issue with the User Identity policy that is preventing some users from being used in policy, even though their details are being correctly retrieved from ISE-PIC. This might require a closer look and troubleshooting.
Here are a few things you might want to check or consider:
Check the User Identity Policy: Ensure that the User Identity policy applied on the relevant interfaces includes the users that are not being found. You might need to add user groups or specific users to the policy.
Check the ISE-PIC Integration: Ensure that the integration between ISE-PIC and FMC is configured correctly and that the communication between them is working properly.
Check the Session Timeout Settings: The "Available For Policy" attribute might be affected by the session timeout settings. If the user's session has timed out on the FMC, it might show as "Not Found" in the Unified Event log.
Check for Conflicts: If there are conflicts between the user-to-IP mappings retrieved from different sources (like ISE-PIC and AD), FMC might not be able to resolve the correct user.
Software Bug: It's possible that you might be encountering a software bug. If you have checked everything else and the issue persists, you might want to consider contacting Cisco's technical support team.
Remember to perform any configuration changes during a maintenance window to avoid disrupting network operations.
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
03-28-2024 07:37 AM
Did you resolve this issue? I have the same problem.
TAC is not helping with this
10-03-2024 05:28 PM
Same issue here as well, any help from TAC?
10-04-2024 06:02 AM
@Shamrock do you see the endpoints in question in your ISE logs?
10-15-2024 07:59 PM
I'm having a similar problem and the FMC start to not recognized the user after i start doing posture in VPN with Cisco ISE, any ideas of what could be hapenning?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide