Troubleshoot Connectivity Issues with Sourcefire User Agent

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

Sourcefire User Agent monitors Microsoft Active Directory servers and report logins and logoffs authenticated via LDAP. The FireSIGHT System integrates these records with the information it collects via direct network traffic observation by managed devices. When you are working with the Sourcefire User Agent, you may experience technical issues. This document provides tips to troubleshoot various issues with the Sourcefire User Agent.

Prerequisites

Cisco recommends that you have knowledge on FireSIGHT Management Center, Sourcefire User Agent, and Active Directory. Tip: In order to learn more about the installation and uninstallation steps of the Sourcefire User Agent, read this document.

Connectivity Issues

1. Verify that the User Agent is added to the FireSIGHT Management Center. To verify that, navigate to Policies > Users > User Agent and verify that the IP address of configured User Agent host is correct.
2. Confirm that Port 3306 is open and listening. There are no firewalls or other network devices stopping the User Agent from communicating with the Defense Center.
3. Port 3306 will not be open until a User Agent entry has been configured on the FireSIGHT Management Center.
4. If an User Agent host has telnet installed, you can verify the connection by telneting from the User Agent host to the FireSIGHT Management Center. You will see 5.1.66-log followed by a string of ASCII characters. Press CTRL+C repeatedly to disconnect.

Note: The appearance of Got packets out of order message is expected.

If the User Agent generates errors when connecting or authenticating to the Active Directory Server(s) there may be a network or user account permission issue. Verify that there are no network connectivity issues in your environment and temporarily configure the User Agent to use a domain admin account for authentication to the Active Directory servers for testing if possible.

Diagnostic Logging

For general troubleshooting of the User Agent, check Log to local event log within the User Agent GUI client and click Save. This causes useful operational messages to be entered in the User Agent host Application event log. You can confirm that User Agent polling is completing successfully by searching for the following events, in order:

Note: The screenshots below are from the Microsoft Event Viewer on the host that is running the User Agent.