Lab Minutes Forum

Technical Discussion => Security => Topic started by: crusier on March 07, 2015, 02:32:27 PM

Title: Problem - IP Mapping - ASA CX
Post by: crusier on March 07, 2015, 02:32:27 PM

Hi Friends,

First i want to thank you this site, that teached me how to configure the ASA-CX. I´m having problems to map the users on my AD, sometimes the ASA only map the IP , so i cant use the policies based on username and groups.

I had to use the old Ad agent ( installed on Domain Controller) , because my costumer dont have any hardware and Vm server to run Cisco CDA.

Could you help me? Please tell what more information do you need to help me.

Tks :D :D :D

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on March 08, 2015, 10:49:37 AM

First of all, you might want to double check on the compatibility between CX and the AD agent as most Cisco documentation always uses CDA. Second of all, after domain user logs into Windows, check to see if a user-to-IP mapping is created and learnt by the CX by sessioning into the CX and perform command 'show opdata adisessions'. If you don't see a mapping there then CX won't know anything about that user.

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on March 12, 2015, 05:28:16 PM

Hi,

If i put the command "show opdata adisessions", there are the follow result:

show opdata adisessions
Vdi Session Directory:
============================
total_sessions: 110
contained_op_data {

 I dont understand, why some workstantions the ASA-CX cant map IP and Username logged. How can i start the troubleshooting?

Tks

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on March 16, 2015, 10:27:39 PM

What's the percentage of the user that you are not seeing mappings for? If you ask the user to log out and back in, does it fix the problem?

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on March 17, 2015, 08:26:43 AM

About 40% of network, if user log out and back in, dont fix the problem.

Detail, some cases if i re-join the workstation again on DC, the problem was fixed. Have seen this problem ?

Tks

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on March 18, 2015, 10:36:14 PM

It sounds like the agent is not always seeing user login activities, or it does but does not communicate to CX. Any chance to install CDA at all, possibly on VMware workstation temporarily? 

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on March 19, 2015, 05:56:36 PM

i will test with CDA, and will soon have news.

Tks again.

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on July 05, 2015, 03:16:41 PM

Hi Friends,

Now i running CDA. But some errors occurs, and users mapping stop working whe the messages bellow appers (see attached image):

 ADObserver : Error with ConnectServer WMI RPC, will retry to reconnect shortly
ContextManager : Creation time of mapping record is in the future

Do you know any idea to help fix this issue?

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on July 06, 2015, 12:59:45 PM

Can you confirm that the CDA was working initially and stopped when the error was encountered?

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on July 07, 2015, 06:20:48 AM

Yes, the CDA works for a period, and stop working. It is back work, when I reboot the CDA.

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on July 11, 2015, 05:20:45 PM

Strange. If it works initially, your setup should be correct. May be try to connect to different domain controller?

Title: Re: Problem - IP Mapping - ASA CX
Post by: crusier on August 28, 2015, 07:41:06 AM

I opened a case on TAC, and them return that the problem is a BUG :

https://tools.cisco.com/bugsearch/bug/CSCul91404/?reffering_site=dumpcr

Next week , i wiil apply the update and return with results.

Tks

Title: Re: Problem - IP Mapping - ASA CX
Post by: MC on August 29, 2015, 05:21:50 PM

That certainly explains it. Thanks for letting us know about the bug. Will await your update.