https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1244775#M125772 <P><FONT color="#000000">I was looking for this<A href="http://thetexasroadhousemenu.com/" target="_self">,</A> Thanks!</FONT></P> Mon, 05 Jan 2026 15:14:42 GMT benstokes.pk8 2026-01-05T15:14:42Z https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1219823#M123215 <P>Hi All,&nbsp;</P> <P>&nbsp;</P> <P>I thought I would share something that gave me grief this week.&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5">Background</FONT></P> <UL> <LI>Firewall A and firewall B are in an HA pair.&nbsp;</LI> <LI>Both firewalls are configured to connect to a User-ID agent sitting on a Windows host within the environment.&nbsp;</LI> <LI>Firewall A is configured as the data redistribution <EM>agent</EM> to redistribute User-ID information to other firewalls (data redistribution <EM>clients</EM>) in the environment (firewall C, firewall D, firewall E, etc.)&nbsp;</LI> </UL> <P><FONT size="5">Problem</FONT></P> <P data-unlink="true">Upon reviewing system logs from firewalls C, D, E, etc. I found a common alert: 'connect-agent-failure'. The initial thought was something broke in the initial configuration.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="5">Investigation</FONT></P> <P data-unlink="true">I reviewed the troubleshooting steps <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cr9GCAS&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">outlined here</A>&nbsp;only to discover that the data redistribution agent (firewall A) was not connected to the data redistribution clients (firewalls C, D, E, and so forth).&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">After further analysis I deemed the system alert was due to the fact that firewall A had recently become the <EM>passive unit</EM> in the HA pair, so the configuration on the data redistribution clients pointing to firewall A would amount to nothing, as the passive unit does not redistribute username-to-IP-address mappings. Please note this was a hypothesis at the time. Logically, this makes sense to me as the passive unit does not pass traffic, however,&nbsp;I find this interesting as it requires you to have a second data redistribution configuration pointing to firewall B (data redistribution agent configured on firewall B, and data redistribution client configured on firewalls C, D, E, etc.). The result of such a configuration is one of the connections will always be up (to the active unit), while the other will always be down (to the passive unit).&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">I am aware that there are configurations where this could be avoided, such as the use of Panorama as an intermediary, but I appreciate that Panorama is not in use in every environment!&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="5">Solution</FONT></P> <P>To remedy the issue I added a second data redistribution configuration within the environment where the clients (firewalls C, D, E, etc.) point to the agent on firewall B. Some additional takeaways from this configuration process were:&nbsp;</P> <OL> <LI>The management interface of the data redistribution agent firewall needs to allow User-ID traffic.&nbsp;</LI> <LI>The paloalto-userid-agent application and associated port (default - 5007) must be allowed in security policy between the data redistribution agent and the data redistribution clients, as well as the data redistribution agent (node) firewall and the User-ID agent sitting on the Windows host. If you are adding another configuration (such was my case), then you will need to tinker with existing policy rules to include the relevant IP address of firewall B.&nbsp;</LI> </OL> <P data-unlink="true">The only area in the existing documentation that I could find which references anything similar to this discussion is <A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization" target="_blank" rel="noopener">here</A>, however, the documentation references behaviour in an Active/Active situation, which was not the configuration used in my case.&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="5">TLDR</FONT></P> <P data-unlink="true">Data redistribution was broken in my environment. The cause was determined to be there was only one configuration on the data redistribution clients pointing to firewall A. When firewall B became the active peer, the redistribution chain broke. This was resolved by adding a second data redistribution client configuration pointing to firewall B. The documentation is unclear on this behaviour, but logically it makes sense. Other configurations can be used to avoid this problem, but this is dependent on your environment.&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="5">Additional Source(s)</FONT></P> <P data-unlink="true"><FONT size="4"><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/configure-user-id-redistribution" target="_blank" rel="noopener"><FONT size="3">Configure Data Redistribution</FONT></A>&nbsp;</FONT></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="4"><LI-PRODUCT title="User-ID" id="User-ID"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;</FONT></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><FONT size="5">Edit</FONT></P> <P>2025-05-16 - Clarified references to the data redistribution clients (firewalls C, D, E, etc.).&nbsp;</P> Fri, 16 May 2025 17:23:43 GMT https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1219823#M123215 nohash4u 2025-05-16T17:23:43Z https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1219901#M123222 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/65137099">@nohash4u</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for sharing !</P> <P>&nbsp;</P> Mon, 10 Feb 2025 09:14:58 GMT https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1219901#M123222 kiwi 2025-02-10T09:14:58Z https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1244775#M125772 <P><FONT color="#000000">I was looking for this<A href="http://thetexasroadhousemenu.com/" target="_self">,</A> Thanks!</FONT></P> Mon, 05 Jan 2026 15:14:42 GMT https://live.paloaltonetworks.com/t5/general-topics/food-for-thought-data-redistribution-during-ha-failover-user-id/m-p/1244775#M125772 benstokes.pk8 2026-01-05T15:14:42Z