https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48305#M35549 <HTML><HEAD></HEAD><BODY><P>I have an environment which has multiple USER-ID agents installed/configure and the agentless option via WMI.</P><P></P><P>There seems to be an issue with user-id records timing out. After x amount of time, users start matching on a catch all policy at the end because there is no longer a username tied to their IP address. If they log off and back on, it starts working fine again until it times out after x number of minutes.</P><P></P><P>Is there something simple to resolving this that I am overlooking?</P></BODY></HTML> Fri, 20 Jun 2014 14:16:54 GMT SDorsey 2014-06-20T14:16:54Z https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48305#M35549 <HTML><HEAD></HEAD><BODY><P>I have an environment which has multiple USER-ID agents installed/configure and the agentless option via WMI.</P><P></P><P>There seems to be an issue with user-id records timing out. After x amount of time, users start matching on a catch all policy at the end because there is no longer a username tied to their IP address. If they log off and back on, it starts working fine again until it times out after x number of minutes.</P><P></P><P>Is there something simple to resolving this that I am overlooking?</P></BODY></HTML> Fri, 20 Jun 2014 14:16:54 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48305#M35549 SDorsey 2014-06-20T14:16:54Z https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48306#M35550 <HTML><HEAD></HEAD><BODY><P>Could it be that the WMI probe doesn't work? If the WMI probe doesn't get a response it deletes the user mapping.</P><P></P><P>What is the output from debug user-id dump probing-stats?</P></BODY></HTML> Fri, 20 Jun 2014 14:37:00 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48306#M35550 Wenar 2014-06-20T14:37:00Z https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48307#M35551 <HTML><HEAD></HEAD><BODY><P>I am guessing that is it. </P><P></P><TABLE><TBODY><TR><TD>num of initial probe made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD>: 115617</TD></TR><TR><TD>num of initial probe succeeded&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD>: 3</TD></TR><TR><TD>num of initial probe failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD>: 115514</TD></TR><TR><TD>num of periodic probe made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD>: 14</TD></TR><TR><TD>num of periodic probe succeeded&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD>: 1</TD></TR><TR><TD>num of periodic probe failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </TD><TD><P>: 13</P></TD></TR></TBODY></TABLE><P></P><P>Now I just need to find out why they are failing. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P></BODY></HTML> Fri, 20 Jun 2014 15:24:13 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48307#M35551 SDorsey 2014-06-20T15:24:13Z https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48308#M35552 <HTML><HEAD></HEAD><BODY><P>The PCs that are being probed are likely not set for WMI responses.</P><P>As for why it works when the user logs in again, that is how IP to user mappings are made so that makes sense.</P><P>In addition to WMI probing, (considering these appear to be failing) you can be monitoring other servers in the Windows domain (e.g. file maps. printers, exchange mail servers) so that you can maintain the mapping and the user does not have to log in to refresh the mappings</P><P></P><P>To be able to maintain mappings as the user maps drives etc. enable "server session read" on the UserID agent and the UserID agentless on the firewall so even if WMI probes you may have success in maintaining the user to ip mappings without relying solely on when the users log in.</P><P></P><P>HTH</P></BODY></HTML> Fri, 20 Jun 2014 15:28:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48308#M35552 sjamaluddin 2014-06-20T15:28:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48309#M35553 <HTML><HEAD></HEAD><BODY><P>If you still want to use WMI probing you should verify the user you use for the query. Here is a DOC how you can troubleshoot WMI problems:</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1254">How to Troubleshoot WMI </A></P></BODY></HTML> Fri, 20 Jun 2014 15:32:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-records-timing-out/m-p/48309#M35553 Wenar 2014-06-20T15:32:09Z