Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6551
Views
0
Helpful
10
Replies

FMC - Initiator User Not Found in event log

dodgerfan78
Level 1
Level 1

‎01-30-2021 12:38 PM

I have FMC 6.6, FTD 6.5 and ISE 2.7. FMC is connected to ISE via pxGrid and I see the User-to-IP mapping in the FMC: Analysis > Users shows user jbeam with an IP of 192.168.131.11 and an active session count of 1. I have a single identity policy mapped to a single access control rule. When I pass traffic through the FTD, the event log only shows the IP but the user shows up as "Not Found. Any idea what I am missing?

5 people had this problem
0 Helpful
10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

‎01-30-2021 04:37 PM

Can you show us ACP of the policy Logging screenshot, 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎01-31-2021 03:55 AM

Hi,

Is your user matching prefilter or acp rule. Check that from event analysis.

***** please remember to rate useful posts
0 Helpful

Felipe Cavalcante
Level 1
Level 1

‎03-18-2021 01:13 PM

Hi Guy!

I have the same problem on my environment. Please, do you found a solution for this problem?

0 Helpful

Felipe Cavalcante
Level 1
Level 1
In response to Felipe Cavalcante

‎05-19-2021 11:12 AM

Hi Guys, i hope is everything ok with everyone!

 

I have an importante update about this case, where i had this same scenario in two differents customers and after a lot of analysis days, with TAC Support we was able to find and fix this problem.

 

We've realized this behavior was happening after the FMC Reimage Process. After reimage we uploaded the FMC backup and all configurations has worked fine. The PxGrid integration between FMC and ISE has imported to the FMC as well and all configurations has successfully imported. But after all, we realized that Access Control Rules based on AD Users and Groups was not working, and the LOGs events about this rules has showing the Initiator User as "NOT FOUND".

 

So, the solution for this case was the Workaround of this BUG https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr75813

Look guys, i've applied this WA for two different environments and worked fine! Could be helpful in the future troubleshootings!

 

Thanks and Best Regards!

0 Helpful

bergonzoni
Level 1
Level 1

‎03-20-2021 05:24 AM - edited ‎03-20-2021 05:28 AM

Hi,

Me too, I have the same issue, with FMC 6.6.1, FTD 6.4.0.10 and ISE 2.6.

Under this condition I find a lot of "Not Found" user associated to Connection Events.

I opened a TAC case, do you have any updates?

 

0 Helpful

lap
Level 2
Level 2

‎05-10-2021 05:06 AM

Same issue here on FMC 6.6.1

0 Helpful

bergonzoni
Level 1
Level 1

‎05-10-2021 06:53 AM

Check bug CSCvu30756

 

0 Helpful

lap
Level 2
Level 2

‎05-11-2021 12:47 AM

Thanks I will have a look. Anyway recommended software version right now is 6.6.3 so it makes sense to upgrade.

0 Helpful

Felipe Cavalcante
Level 1
Level 1

‎05-19-2021 11:15 AM

Hi Guys, i hope is everything ok with everyone!

 

I have an importante update about this case, where i had this same scenario in two differents customers and after a lot of analysis days, with TAC Support we was able to find and fix this problem.

 

We've realized this behavior was happening after the FMC Reimage Process. After reimage we uploaded the FMC backup and all configurations has worked fine. The PxGrid integration between FMC and ISE has imported to the FMC as well and all configurations has successfully imported. But after all, we realized that Access Control Rules based on AD Users and Groups was not working, and the LOGs events about this rules has showing the Initiator User as "NOT FOUND".

 

So, the solution for this case was the Workaround of this BUG https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr75813

Look guys, i've applied this WA for two different environments and worked fine! Could be helpful in the future troubleshootings!

 

Thanks and Best Regards!

0 Helpful

Erik Ingeberg
Level 1
Level 1

‎10-27-2021 09:48 AM

Same issue here on FMC / vFTD both running 7.0.1 and ISE 3.

It was working fine when first set up, few days later I noticed it was no longer working.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card