FirePOWER Agent – Real-Time Status ‘Unavailable’

KB ID 0001323 D


I was deploying a Cisco FirePOWER user agent last week, but once setup, the agent reported that the Real-Time status for SOME of the domain controllers was permanently ‘Unavailable’. Now I know you have to be patient with these things so I went and had a coffee.

Still it refused to ‘go green’.


I addition to all the other rights and firewall rules that you normally have to check. You may have to create another ‘inbound’ firewall rule on you domain controllers.

New Firewall Rule

Type = Custom > Next > All Programs > Next > Protocol type = TCP, Local Port = RPC Dynamic Ports, Remote Port = All Ports > Next.

Custom Firewall Rule FirePOWER Agent

Add the IP address of the FirePOWER Management Appliance > Next > Allow the Connection > Next.

Windows Firewall Rule FirePOWER Agent

I’m allowing for all profiles > Next > Give the rule an easy to recognise name > Finish.

FirePOWER Agent Real-Time unavailable

Now back on the server that’s running the user agent, you should just need to restart the ‘Cisco Firepower User Agent’ service. Though I usually just reboot the server and apply the ‘cup of coffee rule’.

Restart FirePOWER Agent Service

That Didn’t Work!

All my domain controllers, (a mixture of 2012 R2 and 2016 servers) then reported in fine, ALL EXCEPT ONE. I even tried disabling the firewall, I rechecked all the other pre-requisites and made sure it was using the default domain controller group policy, if flatly refused to ‘go-green’.

You can enable logging on the user agent, and get it to log, to the server event log, so I tried that and got;

FirePOWER Event ID 2317

Event ID 2317: Unable to attach to event listener {IP-Address}. Check firewall settings on AD Server. Attempted to perform an unauthorised operation.

No matter what I did, I could not get this one domain controller to report in. In the end I installed the FirePOWER agent directly on this domain controller, and added it as a new agent source in the FirePOwer Management appliance, then it reported fine.

FirePOWER Agent on Domain Controller

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

1 Comment

  1. I had the same issue (2317). Enabled “Remote Event Log Managemnt” rules on DC and restarted Cisco service reloved it.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *