Cisco FirePOWER Management Center: ‘Initiator User’ is Unknown

I’ve discovered this problem today after several months of the system being in production without any issues (other than the one in this post).

All of a sudden rules linked to user authentication stopped working. I immediately checked AD Agent for health and all was well. Below is what appeared on Connections > Events > Table view of connection events.

firepower-initiator-user-is-unknown-1

Rebooting Management Center (MC) and AD Agent did not make any difference.Weird enough I was still getting User Activity results which indicated agent was working.

Components:
Firepower Management Center: 6.0.1.2
Firepower User Agent for AD v2.3.10

Looking around I found a Cisco bug posted on this issue however I wanted to provide visual aid because it took me a bit to stumble through this one. Bug info here.

According to the bug, issue was fixed in 6.0.1.2. I’m running 6.0.1.2 and still had to implement a workaround to get it working.

Workaround:
Set the active directory domain in the realm configuration to be the short name (NetBIOS).
Alternatively, in the AD User Agent, set the domain field in the Active Directory server configuration to match the domain in the realm.

I went with the alternative. If you have server already added and configured then delete it. When you add domain controller to AD Agent, Domain field defaults to the short name (NetBIOS) and it looks similar to this.

firepower-initiator-user-is-unknown-2

What you need to do is make it match domain in Realm Configuration tab on MC which probably looks similar to this.

firepower-initiator-user-is-unknown-4

Go back to the AD Agent and while adding server change Domain field to look same as above.

firepower-initiator-user-is-unknown-3

Once I’ve updated AD server domain setting all started working again.

 

 

 

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar