topic USER_ID mapping constantly changing with Zscaler App in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-mapping-constantly-changing-with-zscaler-app/m-p/579756#M2778 <P>Hi Team,</P> <P>&nbsp;</P> <P>We are facing an issue where PA user authenticated access from ZScaler app connect servers is failing intermittently.</P> <P>&nbsp;</P> <P>Access through PA FW to a server network using user authentication is failing intermittently when connections are made from a pair of ZScaler app connector servers.</P> <P>CLI command "show user ip-user-mapping ip-address-of-ZPA" shows that the userid associated with the ZPA connectors is constantly changing.</P> <P>&nbsp;</P> <P>FW logs do not show anything for the connections that are not completed successfully. The FW logs do report connections that fail the userid authentication rules, by logging unauthenticated access attempts with the last 'deny all' clean up rule of the policy.</P> <P>&nbsp;</P> <P>Successful connections are allowed &amp; logged by the userid authentication rule, including the source user information.</P> <P>Server connections made from non-ZPA connectors, i.e. single user hosts, appear to be working successfully using the same userid authentication rule.</P> <P>&nbsp;</P> <P>We have latest 10.2.8 FW running and would like toc heck if anyone faced any similar issue or where can we check to see why this is happening.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P><LI-PRODUCT title="User-ID" id="User-ID"></LI-PRODUCT>&nbsp;</P> Fri, 08 Mar 2024 02:54:07 GMT UtkarshKumar 2024-03-08T02:54:07Z USER_ID mapping constantly changing with Zscaler App https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-mapping-constantly-changing-with-zscaler-app/m-p/579756#M2778 <P>Hi Team,</P> <P>&nbsp;</P> <P>We are facing an issue where PA user authenticated access from ZScaler app connect servers is failing intermittently.</P> <P>&nbsp;</P> <P>Access through PA FW to a server network using user authentication is failing intermittently when connections are made from a pair of ZScaler app connector servers.</P> <P>CLI command "show user ip-user-mapping ip-address-of-ZPA" shows that the userid associated with the ZPA connectors is constantly changing.</P> <P>&nbsp;</P> <P>FW logs do not show anything for the connections that are not completed successfully. The FW logs do report connections that fail the userid authentication rules, by logging unauthenticated access attempts with the last 'deny all' clean up rule of the policy.</P> <P>&nbsp;</P> <P>Successful connections are allowed &amp; logged by the userid authentication rule, including the source user information.</P> <P>Server connections made from non-ZPA connectors, i.e. single user hosts, appear to be working successfully using the same userid authentication rule.</P> <P>&nbsp;</P> <P>We have latest 10.2.8 FW running and would like toc heck if anyone faced any similar issue or where can we check to see why this is happening.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P><LI-PRODUCT title="User-ID" id="User-ID"></LI-PRODUCT>&nbsp;</P> Fri, 08 Mar 2024 02:54:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/user-id-mapping-constantly-changing-with-zscaler-app/m-p/579756#M2778 UtkarshKumar 2024-03-08T02:54:07Z