Click the Monitor tab. The following columns are displayed:
REST Server ID: Host name or IP address of the Firepower Management Center that is reporting the information. This information is useful if you have a high availability configuration.
Source IP: Displays the user's IP address value in IPv4 and/or IPv6 format. When both IPv4 and IPv6 addresses are configured and a new session is just created, both IPv4 and IPv6 addresses are displayed in separate rows.
Session ID: Number that identifies the user's session. A user can have more than one session at a time.
Username: Username associated with the session.
Domain: Active Directory domain in which the user logged in.
Port Range: Port range assigned to the user. (A value of 0 indicates an issue assigning ports; for more information, see View Connection Status).
TCP Ports Usage and UDP Ports Usage: Displays the percentage of allocated ports per user. When the percentage exceeds 50%, the field background is yellow. When the percentage exceeds 80%, the field background is red.
Login Date: Date the user logged in.
The following table shows the actions you can perform:
Click column heading
Sort data in the table by that column.
Enter a portion of a username or a complete username in the Filter by Username search field.
Click to refresh sessions displayed on this tab page.
Export the following troubleshooting information about the TS Agent as text files:
XML file containing TS Agent configuration data
Output from the netstat -a -n -o command
Windows task list
List of running drivers
Check the box next to one or more session to restream those sessions to the Firepower Management Center. You can use this in the event the user service fails on the Firepower Management Center.
For example, suppose a user logs in to the TS Agent server after the user service fails on the Firepower Management Center. You can use this option to send the user session again after the user service is restored. This should cause Success to be displayed for that user in the Status column.
View Connection Status
When users have logged into Terminal Services where TS Agent is installed, a new system session is created, a port range is allocated for this session, and the results are sent to Firepower Management Center for propagation to managed devices.
The Monitor tab page enables you to confirm that the port range was successfully sent to the Firepower Management Center. Among the reasons why the process might have failed include:
The Status column has one of the following values:
Pending: The action is pending but not yet completed.
Failed: The action failed. Click the word Failed to view an error message. If the error indicates a communication failure with the Firepower Management Center, try to restream traffic for that session as discussed in View Information About the TS Agent.
Success: The action completed successfully.
View TS Agent User, User Session, and TCP/UDP Connection Data on the Firepower Management Center
Use the following procedure to view data reported by the TS Agent. For more information about the Firepower Management Center tables, see the Firepower Management Center Configuration Guide.
Log in to the Firepower Management Center where you configured the realms targeting the users your server is monitoring.
To view users in the Users table, choose Analysis > Users > Users. The Firepower Management Center populates the Current IP, End Port, and Start Port columns if a TS Agent user's session is currently active.
To view user sessions in the User Activity table, choose Analysis > Users > User Activity. The Firepower Management Center populates the Current IP, End Port, and Start Port columns if the TS Agent reported the user session.
To view TCP/UDP connections in the Connection Events table, choose Analysis > Connections > Events. The Firepower Management Center populates the Initiator/Responder IP field with the IP address of the TS Agent that reported the connection and the Source Port/ICMP Type field with the port the TS Agent assigned to the connection.