KB ID 0001323 D

Problem

I was deploying a Cisco FirePOWER user agent last week, but once setup, the agent reported that the Real-Time status for SOME of the domain controllers was permanently ‘Unavailable’. Now I know you have to be patient with these things so I went and had a coffee.

Still it refused to ‘go green’.

Solution

I addition to all the other rights and firewall rules that you normally have to check. You may have to create another ‘inbound’ firewall rule on you domain controllers.

Type = Custom > Next > All Programs > Next > Protocol type = TCP, Local Port = RPC Dynamic Ports, Remote Port = All Ports > Next.

Add the IP address of the FirePOWER Management Appliance > Next > Allow the Connection > Next.

I’m allowing for all profiles > Next > Give the rule an easy to recognise name > Finish.

Now back on the server that’s running the user agent, you should just need to restart the ‘Cisco Firepower User Agent’ service. Though I usually just reboot the server and apply the ‘cup of coffee rule’.

That Didn’t Work!

All my domain controllers, (a mixture of 2012 R2 and 2016 servers) then reported in fine, ALL EXCEPT ONE. I even tried disabling the firewall, I rechecked all the other pre-requisites and made sure it was using the default domain controller group policy, if flatly refused to ‘go-green’.

You can enable logging on the user agent, and get it to log, to the server event log, so I tried that and got;

Event ID 2317: Unable to attach to event listener {IP-Address}. Check firewall settings on AD Server. Attempted to perform an unauthorised operation.

No matter what I did, I could not get this one domain controller to report in. In the end I installed the FirePOWER agent directly on this domain controller, and added it as a new agent source in the FirePOwer Management appliance, then it reported fine.

Related Articles, References, Credits, or External Links

NA