Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Identity firewall not matching IP to user via CDA

I have a lab set up to test ACL's with AD users/groups.

Current setup:

3 VMware instances on one host machine:

Microsoft Server 2012 with Active Directory and DNS

Cisco Context Directory Agent

Windows 7 

This host is connected to the "Server" interface of the firewall and both 



Windows 7 = Varied (change to test IP Mapping of CDA)

Host =


I have full communication between all devices, firewalls disabled on host machines, and full any/any rules on the firewall to prevent any traffic from being blocked as I troubleshoot this.


The agent is connected up to the domain controller and does correctly map users to IP's as I log in/out.


The ASA has the agent configured and tests just fine when I use the Test button in ASDM.


From the ASA CLI I am able to query AD and pull a list of AD groups and users.

I have ACL's created that use the domain\user as the source with any/any just trying to see if anything will match. 


When I go to monitoring>Identity>Users the users that I have in the ACL's appear as inactive.


Any assistance with this would be greatly appreciated.  Previously I had this lab set up with the AD Agent and was able to get this to work with on-demand mode but not full-download.  Now with CDA I am unable to get either going.



Community Member

After tweaking our ACL's we

After tweaking our ACL's we were able to get this to pull the IP to user mapping when in on-demand mode.


Full download mode still does not retrieve the mapping.

Community Member

What tweaking did you do to

What tweaking did you do to get this working?

CreatePlease to create content