https://live.paloaltonetworks.com/t5/next-generation-firewall/windows-user-id-agent-disconnect-after-failover/m-p/530156#M879 <P>Hi All,</P> <P>I have a customer who had an issue with the WMI using agentless User-ID due to Microsoft security update.</P> <P>We decided to move to Windows User-ID Agent installed on a domain member Windows Server 2016.</P> <P>PAN OS 10.2.2 and installed agent version 10.2.1-101.</P> <P>In the Data Redistribution i can see the agent is connected.</P> <P>&nbsp;</P> <P>Customer found that if failover occurs, the agent is disconnected.</P> <P>I was able to reproduce this in a lab running the same configuration on VMware.</P> <P>I tried to upgrade to 10.2.3-hf2 but still the same behavior.</P> <P>&nbsp;</P> <P>If i run the command "show user user-id-agent config all" on any gateway while secondary is active, i get the following output:<BR />Server error : op command for client useridd timed out as client is not available<BR />When the primary is active, i will get this error only when i run the command on the secondary (passive) gateway. The primary (active) will output the configuration.</P> <P>&nbsp;</P> <P>If i run the command "show user user-id-agent state all" on the secondary when its passive i get the output:</P> <P>Cannot get config from agent winsrv_user-id_agent: Error: Failed to connect to 10.10.100.30(10.10.100.30):5007<BR />No User-ID Agent agents in vsys vsys1</P> <P>This makes sense as it is passive and should not be able to connect. But when the secondary is active, i get only:</P> <P>No User-ID Agent agents in vsys vsys1</P> <P>&nbsp;</P> <P>Anyone has any idea regarding this behavior?</P> Tue, 07 Feb 2023 17:24:42 GMT ademo-user25 2023-02-07T17:24:42Z https://live.paloaltonetworks.com/t5/next-generation-firewall/windows-user-id-agent-disconnect-after-failover/m-p/530156#M879 <P>Hi All,</P> <P>I have a customer who had an issue with the WMI using agentless User-ID due to Microsoft security update.</P> <P>We decided to move to Windows User-ID Agent installed on a domain member Windows Server 2016.</P> <P>PAN OS 10.2.2 and installed agent version 10.2.1-101.</P> <P>In the Data Redistribution i can see the agent is connected.</P> <P>&nbsp;</P> <P>Customer found that if failover occurs, the agent is disconnected.</P> <P>I was able to reproduce this in a lab running the same configuration on VMware.</P> <P>I tried to upgrade to 10.2.3-hf2 but still the same behavior.</P> <P>&nbsp;</P> <P>If i run the command "show user user-id-agent config all" on any gateway while secondary is active, i get the following output:<BR />Server error : op command for client useridd timed out as client is not available<BR />When the primary is active, i will get this error only when i run the command on the secondary (passive) gateway. The primary (active) will output the configuration.</P> <P>&nbsp;</P> <P>If i run the command "show user user-id-agent state all" on the secondary when its passive i get the output:</P> <P>Cannot get config from agent winsrv_user-id_agent: Error: Failed to connect to 10.10.100.30(10.10.100.30):5007<BR />No User-ID Agent agents in vsys vsys1</P> <P>This makes sense as it is passive and should not be able to connect. But when the secondary is active, i get only:</P> <P>No User-ID Agent agents in vsys vsys1</P> <P>&nbsp;</P> <P>Anyone has any idea regarding this behavior?</P> Tue, 07 Feb 2023 17:24:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/windows-user-id-agent-disconnect-after-failover/m-p/530156#M879 ademo-user25 2023-02-07T17:24:42Z