See the following sections for information about troubleshooting Firepower Management Center issues with the TS Agent.
For information about known and fixed issues in this release, see Known Issues and Resolved Issues.
Firepower Management Center does not display user information for System processes
Traffic generated by a service running in the System context is not
tracked by the TS Agent. In particular, note the following:
-
The TS Agent does not identify Server Message Block (SMB)
traffic because SMB traffic runs in the System
context.
-
Some anti-virus applications proxy web
traffic to an on-premises or cloud gateway to catch
viruses before they reach a client computer.
However, this means that the anti-virus software
typically uses the System account; in this case, the
FMC sees the users as Unknown. To resolve the issue,
disable web traffic proxying.
TS Agent user timeouts do not occur when expected
You must synchronize the time on your server with the time on the Firepower Management Center.
TS Agent does not translate user session ports
The TS Agent does not perform port translation in the following cases:
-
A user session exceeds the set Max User Sessions value. For example, if the Max User Sessions is set to
199, the TS Agent does not perform port translation on the 200th user session.
-
All available ports are in use. For example, if your User Ports
Range value designates 200 ports per user session, the TS Agent does not perform port translation on the 201st TCP/UDP connection until the user ends another TCP/UDP connection and releases a port.
-
A user session does not have an associated domain. For example, if a server administrator's session is authenticated by the
local system and not by an external Active Directory server, the server administrator logs in to the server but cannot access
the network and the TS Agent does not assign ports to the user session.
TS Agent port translation is not performed as expected
If you manually edit the IP address of the server, you must edit the Server NIC on the TS Agent. Then, save your TS Agent configuration and reboot your server.
User sessions are not reported to the Firepower Management Center as expected
If you update the TS Agent configuration to connect to a different Firepower Management Center, you must end all current user
sessions before saving the new configuration. For more information, see Ending a Current User Session.
Client application traffic is reported to the Firepower Management Center as user traffic
If there is a client application installed on your server and the application is configured to bind to a socket that uses
a port that falls outside of your System Ports, you must use the Exclude Port(s) field to exclude that port from translation. If you do not exclude the port and it falls within your User Ports, the TS Agent may report traffic on that port as unrelated user traffic.
To prevent this, configure your client application to bind to a socket that uses a port that falls within your System Ports.
Server application timeout, browser timeout, or TS Agent-Firepower Management Center connection failure
If an application on the TS Agent server ends a TCP/UDP connection but incompletely closes the associated port, the TS Agent
cannot use that port for translation. If the TS Agent attempts to use the port for translation before the server closes the
port completely, the connection fails.
Note |
You can use the netstat command (for summary information) or the netstat -a -o -n -b command (for detailed information) to identify incompletely closed ports; these ports have a state of TIME_WAIT or CLOSE_WAIT .
|
If you see this issue, increase the TS Agent port range affected by the issue:
-
Server application or browser timeout occurs if an incorrectly closed port falls within the User Ports range.
-
TS Agent-Firepower Management Center connection failure occurs if an incorrectly closed port falls within the System Ports range.
TS Agent-Firepower Management Center connection failure
If the TS Agent fails to establish a connection with the Firepower Management Center when you click the Test button during configuration, check the following:
-
Make sure no more than 50 TS Agent clients are attempting to connect to the FMC at the same time.
-
Confirm that the Username and Password you provided are the correct credentials for a Firepower Management Center user with REST VDI privileges as discussed in
Creating the REST VDI Role.
You can view the audit logs on the Firepower Management Center to confirm that the user authentication from the TS Agent succeeded.
-
If the connection to the secondary Firepower Management Center in a high availability configuration fails immediately after
configuration, this is expected behavior. The TS Agent communicates with the active Firepower Management Center at all times.
If the secondary is the active Firepower Management Center, the connection to the primary Firepower Management Center fails.
System processes or applications on the server are malfunctioning
If a system process on your server is using or listening in on a port that is not within your System Ports range, you must manually exclude that port using the Exclude Port(s) field.
If an application on your server is using or listening in on your Citrix MA Client (2598) or Windows Terminal Server (3389)
port, confirm that those ports are excluded in the Exclude Port(s) field.
Firepower Management Center shows Unknown users from the TS Agent
The Firepower Management Center shows Unknown users from the TS Agent in the following situations:
-
If the TS Agent driver component fails unexpectedly, user sessions seen during the downtime are logged as Unknown users on
the Firepower Management Center.
-
Some anti-virus applications proxy web
traffic to an on-premises or cloud gateway to catch
viruses before they reach a client computer.
However, this means that the anti-virus software
typically uses the System account; in this case, the
FMC sees the users as Unknown. To resolve the issue,
disable web traffic proxying.
-
-
If the primary Firepower Management Center in a high availability configuration fails, logins reported by the TS Agent during
the 10 minutes of downtime during failover are handled as follows:
-
If a user was not previously seen on the Firepower Management Center and the TS Agent reports user session data, the data
is logged as Unknown user activity on the Firepower Management Center.
-
If the user was previously seen on the Firepower Management Center, the data is processed normally.
After the downtime, the Unknown users are reidentified and processed according to the rules in your identity policy.
NICs are not displayed in the Server NIC list
You must disable router advertisement messages on any devices connected to your server. If router advertisements are enabled,
the devices can assign multiple IPv6 addresses to NICs on your server and invalidate the NICs for use with the TS Agent.
A valid NIC must have a single IPv4 or IPv6 address, or one of each type; a valid NIC cannot have multiple addresses of the
same type.