Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

FMC correctly seeing some ISE PassiveID users, other show Not Found

m.yost
Level 1
Level 1

‎11-28-2023 07:31 AM

FMC: v7.3.0 (build 69)
FTD 1120: v7.2.5
ISE-PIC: 3.2.0.542, Patch 4

We have a new integration between ISE-PIC and FMC that we are trying to use in policy. I can see some users are shown in the Unified Events, but many entries show as "Not Found".

For one of the users I am testing with, I see the username and IP in ISE-PIC. I also see the username and IP in FMC's Active Sessions page and the values match ISE. However, when I look at the Unified Event log and match on the source IP that user is bound to, the events show as "Not Found" as the source user. In the FMC Users page, I see the user with an Active Session Count of 1, but the Available For Policy column shows "no".

Several other users are showing correctly profiled in the Source User column of the Unified Events.  When I cross reference these users to the FMC Users page, the Available For Policy column shows "yes".  Not sure why FMC seems to have all the usernames and IPs, but can't use them all for policy.

1 person had this problem
0 Helpful
2 Replies 2

urathod
Cisco Employee
Cisco Employee

‎12-12-2023 10:49 PM

It seems like there might be an issue with the User Identity policy that is preventing some users from being used in policy, even though their details are being correctly retrieved from ISE-PIC. This might require a closer look and troubleshooting.

Here are a few things you might want to check or consider:

  1. Check the User Identity Policy: Ensure that the User Identity policy applied on the relevant interfaces includes the users that are not being found. You might need to add user groups or specific users to the policy.

  2. Check the ISE-PIC Integration: Ensure that the integration between ISE-PIC and FMC is configured correctly and that the communication between them is working properly.

  3. Check the Session Timeout Settings: The "Available For Policy" attribute might be affected by the session timeout settings. If the user's session has timed out on the FMC, it might show as "Not Found" in the Unified Event log.

  4. Check for Conflicts: If there are conflicts between the user-to-IP mappings retrieved from different sources (like ISE-PIC and AD), FMC might not be able to resolve the correct user.

  5. Software Bug: It's possible that you might be encountering a software bug. If you have checked everything else and the issue persists, you might want to consider contacting Cisco's technical support team.

Remember to perform any configuration changes during a maintenance window to avoid disrupting network operations.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

0 Helpful

pioflo
Level 1
Level 1

‎03-28-2024 07:37 AM

Did you resolve this issue? I have the same problem.

TAC is not helping with this

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card