Troubleshoot Realms and User Downloads

If you notice unexpected server connection behavior, consider tuning your realm configuration, device settings, or server settings. For other related troubleshooting information, see:

Symptom: Realms and groups reported but not downloaded

The CDO's health monitor informs you of user or realm mismatches, which are defined as:

  • User mismatch: A user is reported to the CDOwithout being downloaded.

    A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the CDO. Review the information discussed in Realm Fields.

  • Realm mismatch: A user logs into a domain that corresponds to a realm not known to the CDO.

For example, if you defined a realm that corresponds to a domain named domain.example.com in the CDO but a login is reported from a domain named another-domain.example.com , this is a realm mismatch. Users in this domain are identified by the CDO as Unknown.

You set the mismatch threshold as a percentage, above which a health warning is triggered. Examples:

  • If you use the default mismatch threshold of 50%, and there are two mismatched realms in eight incoming sessions, the mismatch percentage is 25% and no warning is triggered.

  • If you set the mismatch threshold to 30% and there are three mismatched realms in five incoming sessions, the mismatch percentage is 60% and a warning is triggered.

Unknown users that do not match identity rules have no policies applied to them. (Although you can set up identity rules for Unknown users, we recommend keeping the number of rules to a minimum by identifying users and realms correctly.)

For more information, see Detect Realm or User Mismatches.

Symptom: Access control policy doesn't match group membership

This solution applies to an AD domain that is in a trust relationship with other AD domains. In the following discussion, external domain means a domain other than the one to which the user logs in.

If a user belongs to a group defined in a trusted external domain, the CDO doesn't track membership in the external domain. For example, consider the following scenario:

  • Domain controllers 1 and 2 trust each other

  • Group A is defined on domain controller 2

  • User mparvinder in controller 1 is a member of Group A

Even though user mparvinder is in Group A, the CDO access control policy rules specifying membership Group A don't match.

Solution: Create a similar group in domain controller 1 that contains has all domain 1 accounts that belong to group A. Change the access control policy rule to match any member of Group A or Group B.

Symptom: Access control policy doesn't match child domain membership

If a user belongs to a domain that is child of parent domain, Firepower doesn't track the parent/child relationships between domains. For example, consider the following scenario:

  • Domain child.parent.com is child of domain parent.com

  • User mparvinder is defined in child.parent.com

Even though user mparvinder is in a child domain, the Firepower access control policy matching the parent.com don't match mparvinder in the child.parent.com domain.

Solution: Change the access control policy rule to match membership in either parent.com or child.parent.com.

Symptom: Realm or realm directory test fails

The Test button on the directory page sends an LDAP query to the hostname or IP address you entered. If it fails, check the following:

  • The Hostname you entered resolves to the IP address of an LDAP server or Active Directory domain controller.

  • The IP Address you entered is valid.

The Test AD Join button on the realm configuration page verifies the following:

  • DNS resolves the AD Primary Domain to an LDAP server or Active Directory domain controller’s IP address.

  • The AD Join Username and AD Join Password are correct.

    AD Join Username must be fully qualified (for example, administrator@mydomain.com, not administrator).

  • The user has sufficient privileges to create a computer in the domain and join the CDO to the domain as a Domain Computer.

Symptom: User timeouts are occurring at unexpected times

If you notice the system performing user timeouts at unexpected intervals, confirm that the time on your ISE/ISE-PIC server is synchronized with the time on the Cisco Defense Orchestrator. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.

If you notice the system performing user timeouts at unexpected intervals, confirm that the time on your ISE/ISE-PIC, or TS Agent server is synchronized with the time on the Cisco Defense Orchestrator. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.

Symptom: Users are not downloaded

Possible causes follow:

  • If you have the realm Type configured incorrectly, users and groups cannot be downloaded because of a mismatch between the attribute the system expects and what the repository provides. For example, if you configure Type as LDAP for a Microsoft Active Directory realm, the system expects the uid attribute, which is set to none on Active Directory. (Active Directory repositories use sAMAccountName for the user ID.)

    Solution: Set the realm Type field appropriately: AD for Microsoft Active Directory or LDAP for another supported LDAP repository.

  • Users in Active Directory groups that have special characters in the group or organizational unit name might not be available for identity policy rules. For example, if a group or organizational unit name contains the characters asterisk (*), equals (=), or backslash (\), users in those groups are not downloaded and can't be used for identity policies.

    Solution: Remove special characters from the group or organizational unit name.

Symptom: User data for previously-unseen ISE/ISE-PIC users is not displaying in the web interface

After the system detects activity from an ISE/ISE-PIC or TS Agent user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires additional time to successfully retrieve this information from Microsoft Windows servers. Until the data retrieval succeeds, activity seen by the ISE/ISE-PIC, or TS Agent user is not displayed in the web interface.

Note that this may also prevent the system from handling the user's traffic using access control rules.

Symptom: User data in events is unexpected

If you notice user or user activity events contain unexpected IP addresses, check your realms. The system does not support configuring multiple realms with the same AD Primary Domain value.

Symptom: Users originating from terminal server logins are not uniquely identified by the system

If your deployment includes a terminal server and you have a realm configured for one or more servers connected to the terminal server, you must deploy the Cisco Terminal Services (TS) Agent to accurately report user logins in terminal server environments. When installed and configured, the TS Agent assigns unique ports to individual users so the system can uniquely identify those users in the web interface.

For more information about the TS Agent, see the Cisco Terminal Services (TS) Agent Guide.