https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-flags-user-unknown-with-single-digit-timeout-secs/m-p/1224060#M5694 <P>If you are using agentless User id, you can change the timeout value from the user ID setting in the firewall.&nbsp;</P> Tue, 18 Mar 2025 03:58:44 GMT Edsnow 2025-03-18T03:58:44Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-flags-user-unknown-with-single-digit-timeout-secs/m-p/1223942#M5690 <P>Hi all,</P> <P>&nbsp;</P> <P>I'm using Agentless UserID mapping. Since past 2 weeks, random users are dropped out of ip-user-mapping and unable to browse internet.&nbsp;</P> <P>&nbsp;</P> <P>When I run "show user ip-user-mapping all" on CLI:</P> <P>I get 90% of connected AD users mapped to IP addresses but rest of the 10% users are logged as below -</P> <P>IP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|&nbsp; Vsys | From | User&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| IdleTimeout(s) | MaxTimeout(s)</P> <P>192.168.2.27&nbsp; |&nbsp; vsys1 |&nbsp; AD&nbsp; |&nbsp; &nbsp;unknown&nbsp; unknown&nbsp; &nbsp;|&nbsp; 1&nbsp; &nbsp;|&nbsp; 4</P> <P>&nbsp;</P> <P>I verified that the subnet is included, clocks are synced with correct NTP, LDAP &amp; Kerberos server works fine. Server-Monitor are "Connected" and below when run "show user server-monitor state all" -</P> <P>UDP Syslog Listener Service is disabled<BR />SSL Syslog Listener Service is disabled</P> <P>Server: &lt;server1.domain.com&gt; (vsys: vsys1) (job 4132013)<BR />Host: 192.168.0.31<BR />num of log query made : 15272<BR />num of log query failed : 144<BR />num of log read : 478509<BR />last record timestamp : 1742182760<BR />last record time : 20250317033920.0-000</P> <P>Server: &lt;server2.domain.com&gt;(vsys: vsys1) (job 4132059)<BR />Host: 192.168.0.41<BR />num of log query made : 28536<BR />num of log query failed : 144<BR />num of log read : 0<BR />last record timestamp : 0<BR />last record time :</P> <P>&nbsp;</P> <P>I can see the successful User Logon events (event ID 4624) on the AD server for that specific IP address and device. Since they can access local resources and file server I don't think AD has any issues authenticating the users. Should I be looking for any specific flag that could cause the delay?</P> <P>&nbsp;</P> <P>The VPN/GloalProtect connects these same users seamlessly but it is disrupting the business tasks on corporate network.&nbsp;</P> <P>&nbsp;</P> <P>Any response or tip is highly appreciated, since Level-2/3 Support Engineer is also unable to help me on this one.</P> Mon, 17 Mar 2025 03:51:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-flags-user-unknown-with-single-digit-timeout-secs/m-p/1223942#M5690 rshetye 2025-03-17T03:51:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-flags-user-unknown-with-single-digit-timeout-secs/m-p/1224060#M5694 <P>If you are using agentless User id, you can change the timeout value from the user ID setting in the firewall.&nbsp;</P> Tue, 18 Mar 2025 03:58:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/userid-mapping-flags-user-unknown-with-single-digit-timeout-secs/m-p/1224060#M5694 Edsnow 2025-03-18T03:58:44Z