topic Re: Userid Not detected for some traffic in General Topics

Userid Not detected for some traffic

cdp181 — Tue, 21 Oct 2014 11:25:36 GMT

We are using 4 User-id Agents and today some users started experiencing problems with certain sites they use. The same sites for all users.... but not all sites. We have many ad group based rules and some are still working while others seem to have stopped working.

Looking at the logs I see their userid isn't detected for the blocked traffic but it is for other traffic. Also different AD groups are used by different users and the common factor seems to be the destination IP rather than the AD group used to access it.

Nothing appears to have changed and the there is only one userid mapped to the IP of the user. Some users have regained access after logging out and back in... but this has not worked for eveyone. User-ID agents have all been restarted and don't show any problems as far as I can tell.

I'm at a bit of a loss as to how to troubleshoot this really so any help would be appreciated.

Firewalls are PA-5050's running 5.0.7

Re: Userid Not detected for some traffic

dreputi — Tue, 21 Oct 2014 13:41:23 GMT

Hello Cdp181,

If logs show no up with no 'user-mapping' for the denied traffic, it could mainly be because of

i) no ip-user mapping for that ip/user : check CLI command >show user ip-user-mapping all

ii) no group mapping : check > show user group list

iii) the user is not identified part of that group :check > show user group name "cn=xxxxxx -name of group"

- it will show the way the user id is expecting its users ie domain\username. Make sure it matches with user-ip mapping shown in output i)

iv) security rule has group in its source user part with a 'single user icon(means a user)' rather than 'double user icon(means a group)' :In this condition, most likely the group is not identified properly, you can try deleting and adding the groups/users again.

v) Make sure that the source zone has user-identification enabled

Let us know how it works.

Regards,

Dileep

Re: Userid Not detected for some traffic

hshah — Tue, 21 Oct 2014 13:41:54 GMT

Hi CDP,

Its difficult to answer this question in one post, however I will try my best.

First thing is firewall is on 5.0.7 which is atleast one year old release, I would suggest to upgrade to 5.0.13 for future issues. Potentially firewall is effected with one of user-id bug.

In this type of situation its either user-ip mapping issue or group mapping issue. Bottom line is its not a policy or particular destination issue.

Lets say if user x is having issue, could you please provide me output for

show user ip-user-mapping ip <x>

This will help us to determine potential user-ip or group mapping issue.

Regards,

Hardik Shah

Re: Userid Not detected for some traffic

cdp181 — Wed, 22 Oct 2014 10:55:39 GMT

Thanks for the replies. We logged a ticket with our support partner and this turns out to be a bug. #64166

After approximately 388 days of uptime, the firewall lost the IP address to username mappings on the dataplane. This issue has been addressed so that the firewall does not lose IP address to username mappings when it reaches this uptime.

Since the firewalls rolled over to 388 days at the weekend.

The engineer confirmed by running

show ip-user-mapping all

which returned no results.

show ip-user-mapping-mp all

was populated.

The engineer also advised that this issue is only fixed in 6.0.4 and the workaround is a hard reboot.