If you notice unexpected server connection behavior, consider tuning your realm configuration, device settings, or server settings. For other related troubleshooting information, see:
Symptom: Access control policy doesn't match group membership
This solution applies to an AD domain that is in a trust relationship with other AD domains. In the following discussion, external domain means a domain other than the one to which the user logs in.
If a user belongs to a group defined in a trusted external domain, Firepower doesn't track membership in the external domain. For example, consider the following scenario:
Domain controllers 1 and 2 trust each other
Group A is defined on domain controller 2
User mparvinder in controller 1 is a member of Group A
Even though user mparvinder is in Group A, the Firepower access control policy rules specifying membership Group A don't match.
Solution: Create a similar group in domain controller 1 that contains has all domain 1 accounts that belong to group A. Change the access control policy rule to match any member of Group A or Group B.
Symptom: Access control policy doesn't match child domain membership
If a user belongs to a domain that is child of parent domain, Firepower doesn't track the parent/child relationships between domains. For example, consider the following scenario:
Even though user mparvinder is in a child domain, the Firepower access control policy matching the parent.com don't match mparvinder in the child.parent.com domain.
Solution: Change the access control policy rule to match membership in either parent.com or child.parent.com.
Symptom: Realm or realm directory test fails
The Test button on the directory page sends an LDAP query to the hostname or IP address you entered. If it fails, check the following:
The Test AD Join
button on the realm configuration page verifies the following:
DNS resolves the AD Primary Domain to an LDAP server or Active Directory domain controller’s IP address.
The AD Join Username and AD Join Password are correct.
AD Join Username must be fully qualified (for example, firstname.lastname@example.org, not
The user has sufficient privileges to create a computer in the domain and join the Firepower Management Center to the domain as a Domain Computer.
Symptom: User timeouts are occurring at unexpected times
If you notice the system performing user timeouts at unexpected intervals, confirm that the time on your User Agent, ISE/ISE-PIC or TS Agent server is synchronized with the time on the Firepower Management
Center. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.
Symptom: Users are not included or excluded as specified in your realm configuration
If you configure an Active Directory realm that includes or excludes users who are members of a sub-group on your server, note that Microsoft Windows servers limit the number of users they report:
If necessary, you can modify your server configuration to increase
this default limit and accommodate more users.
Symptom: Users are not downloaded
Possible causes follow:
If you have the realm Type configured incorrectly, users and groups cannot be downloaded because of a mismatch between the attribute the Firepower system expects and what the repository provides. For example, if you configure Type as LDAP for a Microsoft Active Directory realm, the Firepower system expects the uid attribute, which is set to none on Active Directory. (Active Directory repositories use sAMAccountName for the user ID.)
Solution: Set the realm Type field appropriately: AD for Microsoft Active Directory or LDAP for another supported LDAP repository.
Users in Active Directory groups that have special characters in the group or organizational unit name might not be available for identity policy rules. For example, if a group or organizational unit name contains the characters asterisk (*), equals (=), or backslash (\), users in those groups are not downloaded and can't be used for identity policies.
Solution: Remove special characters from the group or organizational unit name.
Symptom: User data for previously-unseen ISE and User Agent users is not displaying in the web interface
After the system detects activity from an ISE/ISE-PIC, User Agent, or TS Agent user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires additional time to successfully retrieve this information from Microsoft Windows servers. Until the data retrieval succeeds, activity seen by the ISE/ISE-PIC, User Agent, or TS Agent user is not displayed in the web interface.
Note that this may also prevent the system from handling the user's
traffic using access control rules.
Symptom: User data in events is unexpected
If you notice user or user activity events contain unexpected IP addresses, check your realms. The system does not support configuring multiple realms with the same AD Primary Domain value.
Symptom: Users originating from terminal server logins are not uniquely identified by the system
If your deployment includes a terminal server and you have a realm
configured for one or more servers connected to the terminal server, you must
deploy the Cisco Terminal Services (TS) Agent to accurately report user logins
in terminal server environments. When installed and configured, the TS Agent
assigns unique ports to individual users so the Firepower System can uniquely
identify those users in the web interface.
For more information about the TS Agent, see the
Cisco Terminal Services (TS) Agent Guide.