https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73463#M41444 <P>&gt; What PAN-OS version are you running ?</P> Wed, 24 Feb 2016 17:52:21 GMT vkalal 2016-02-24T17:52:21Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73445#M41434 <P>Hi All,</P> <P>I'm currently experiencing some issues with user-id mapping. Some users are not being mapped to IP addresses.</P> <P>&nbsp;</P> <P>Current setup: I have 3 domain controllers - all have Service Accounts with correct privileges. They are also showing as 'Connected'</P> <P>&nbsp;</P> <P>I ran the command 'show user server-monitor state all' on the CLI and noticed that one of the servers showed some failed queries:</P> <P>&nbsp;</P> <P>Server: A(vsys: vsys1)<BR /> Host: 10.2.2.59<BR /> num of log query made : 27600<BR /> num of log query failed : 2660<BR /> num of log read : 647253</P> <P>&nbsp;</P> <P>Other than this, I can't find anything that could be amiss.&nbsp;</P> <P>&nbsp;</P> <P>Any ideas please?</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 24 Feb 2016 16:03:11 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73445#M41434 Bocsa 2016-02-24T16:03:11Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73449#M41438 <P>Have you enabled User Identification on the appropriate zone?</P> Wed, 24 Feb 2016 16:16:31 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73449#M41438 Ash2k 2016-02-24T16:16:31Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73450#M41439 <P>&gt; Uncheck the LDAP Proxy</P> <P>&gt; check the bind DN is should be in the format : adminstartor@domain.com</P> <P>&gt; Check the event logs on AD if you are able to see the logon events for any of the test user</P> <P>&gt; Clear user cache by commad clear user-cache all</P> Wed, 24 Feb 2016 16:18:50 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73450#M41439 vkalal 2016-02-24T16:18:50Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73457#M41441 <P>Yes...it has definitely been enabled that's why some users are being mapped. Some others are not being mapped though</P> Wed, 24 Feb 2016 17:29:50 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73457#M41441 Bocsa 2016-02-24T17:29:50Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73458#M41442 <P>Hi Vkalal,</P> <P>I'm not using the user-id agent so I don't believe i need to Uncheck LDAP Proxy.</P> <P>&nbsp;</P> <P>I'll clear the cache and test results</P> Wed, 24 Feb 2016 17:36:20 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73458#M41442 Bocsa 2016-02-24T17:36:20Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73462#M41443 <P>&gt; You can also check if you are able to see the mappings in mangement plane</P> <P>&nbsp; &nbsp;show user ip-user-mapping-mp all</P> Wed, 24 Feb 2016 17:49:02 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73462#M41443 vkalal 2016-02-24T17:49:02Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73463#M41444 <P>&gt; What PAN-OS version are you running ?</P> Wed, 24 Feb 2016 17:52:21 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73463#M41444 vkalal 2016-02-24T17:52:21Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73464#M41445 <P>Hi Bocsa,</P> <P>&nbsp;</P> <P>If you are mapping some users, but not all, could it be that those users are from specific AD group that's not mapped properly?</P> <P>&nbsp;</P> <P>show user group-mapping state &lt;value&gt;|&lt;all&gt;<BR />show user group-mapping statistics</P> <P>&nbsp;</P> <P>If that's not the case, can you check logs for that particular user (that is not mapped) on all three servers? Could they be mis-matching? Silly question, but also - are your clocks all the same on servers (do they have same NTP server and are they all updating clock properly?) Reason why I ask is that sometimes, when user mappings are shared between servers but one of them has clock that is slightly off, that can produce unwanted results as it depends what logs are parsed last and what was the event.</P> <P>If possible, I would also try to simply use only one of three servers temporarily (and test all of them separately, one by one) to see if I will have any missing users when mapping from a single server, that might be faster than looking through the logs of all three servers.</P> <P>&nbsp;</P> <P>If that is not the case either, and you cannot find much in the logs on the server side, try raising debug level on the user-id daemon; by default it is on info level. From cli, you can set:</P> <P>&nbsp;</P> <P>debug user-id on dump</P> <P>&nbsp;</P> <P>run your diagnostics (get problematic user to log on and log off) and than review logs for that username:</P> <P>&nbsp;</P> <P>less mp-log useridd.log</P> <P>&nbsp;</P> <P>When "inside" the log, you can use commands from linux's less command - use / to search for username, etc...</P> <P>once you are done, re-set debug level for user-id by doing:</P> <P>&nbsp;</P> <P>debug user-id on info</P> <P>debug user-id get</P> <P>&nbsp;</P> <P>Last, but not the least - what is the uptime of your device? (you can see that from "show system info" in cli). There was a bug where UserID stopped working after 388 days, but that has been fixed long ago, applies only if you are running an old release. If this is the case, simply restart UserID daemon <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>If nothing from above helps.... let us know or reach out to TAC and inform them what have you done already to diagnose this <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Luciano</P> Wed, 24 Feb 2016 18:34:41 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73464#M41445 Lucky 2016-02-24T18:34:41Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73540#M41454 <P>Hi Luciano,</P> <P>thanks for the suggestions. I'll run some debugs. It definitely hasn't been up for up to 388days.</P> <P>&nbsp;</P> <P>Is there a way to clear the log query counters on the Palo? ie</P> <P>&nbsp;</P> <P>Server: (vsys: vsys1)<BR /> Host: 192.168.24.51<BR /> <U><EM><STRONG>num of log query made : 1008950</STRONG></EM></U><BR /><U><EM><STRONG> num of log query failed : 50</STRONG></EM></U><BR /> num of log read : 13225867<BR /> last record timestamp : 1456398701<BR /> last record time : 20160225111141.782341-000</P> Thu, 25 Feb 2016 11:13:14 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73540#M41454 Bocsa 2016-02-25T11:13:14Z https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73545#M41458 <P>For the users whose user-ip mapping is not coming on the firewall for that users do you have security event logs on any of the domain controller. You have to check the security event logs of all domain controller.</P> <P>&nbsp;</P> <P>Check if you have configured&nbsp;any included/excluded network&nbsp;on firewall under user-identification or on user-id agent.</P> Thu, 25 Feb 2016 13:40:10 GMT https://live.paloaltonetworks.com/t5/general-topics/some-users-not-mapping-in-user-id/m-p/73545#M41458 pankaku 2016-02-25T13:40:10Z