https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89070#M43523 <P>Users have no access.</P> <P>&nbsp;</P> <P>[Debug&nbsp; 988]: Reached max allowble probes, adding IP 10.100.xxx.xxx to queue for later processing.&nbsp; Probing 40 IPs, list contains 117 entries<BR /> Reached max allowble probes, adding IP 10.100.xxx.xxx to queue for later processing.&nbsp; Probing 40 IPs, list contains 117 entries<BR /> Probing IP 10.100.xxx.xxx failed. For initial probing, try again after 3 min<BR /> [ Info&nbsp; 938]: IP 10.100.xxx.xxx is already in the probing queue</P> <P>[Debug&nbsp; 484]: IP 10.100.xxx.xxx for acme\user cannot be probed.&nbsp; List is full of 201 entries, currently probing 40</P> <P>&nbsp;</P> <P>+0500 Error: pan_user_id_agent_proc_ipuser(pan_user_id_uia.c:444): pan_user_id_agent_send_ip_user_to_dp() failed for user acme\user</P> <P>+0500 Error: pan_user_id_uia_handle_ip_msg_i(pan_user_id_uia_v5.c:141): pan_user_id_agent_proc_ipuser(vsys 1, ip 10.100.xxx.xxx, user acme\user, timestamp 1466142528) failed</P> <P>&nbsp;</P> <P>What we can do?</P> Sat, 18 Jun 2016 18:31:57 GMT MaximAvtonenko 2016-06-18T18:31:57Z https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89070#M43523 <P>Users have no access.</P> <P>&nbsp;</P> <P>[Debug&nbsp; 988]: Reached max allowble probes, adding IP 10.100.xxx.xxx to queue for later processing.&nbsp; Probing 40 IPs, list contains 117 entries<BR /> Reached max allowble probes, adding IP 10.100.xxx.xxx to queue for later processing.&nbsp; Probing 40 IPs, list contains 117 entries<BR /> Probing IP 10.100.xxx.xxx failed. For initial probing, try again after 3 min<BR /> [ Info&nbsp; 938]: IP 10.100.xxx.xxx is already in the probing queue</P> <P>[Debug&nbsp; 484]: IP 10.100.xxx.xxx for acme\user cannot be probed.&nbsp; List is full of 201 entries, currently probing 40</P> <P>&nbsp;</P> <P>+0500 Error: pan_user_id_agent_proc_ipuser(pan_user_id_uia.c:444): pan_user_id_agent_send_ip_user_to_dp() failed for user acme\user</P> <P>+0500 Error: pan_user_id_uia_handle_ip_msg_i(pan_user_id_uia_v5.c:141): pan_user_id_agent_proc_ipuser(vsys 1, ip 10.100.xxx.xxx, user acme\user, timestamp 1466142528) failed</P> <P>&nbsp;</P> <P>What we can do?</P> Sat, 18 Jun 2016 18:31:57 GMT https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89070#M43523 MaximAvtonenko 2016-06-18T18:31:57Z https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89467#M43537 <P>&nbsp;</P> <P>Having debug on in&nbsp;a scaled deployment can sometimes cause problems. &nbsp;You could try disabling or lower the debug level to alleviate the problem.</P> <P>&nbsp;</P> <P>Alternatively you could disable probing :</P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321" target="_blank">Getting-Started-User-ID</A></P> <P>&nbsp;</P> <P>Splitting the load over multiple agents is also&nbsp;a good idea in a scaled deployment.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 20 Jun 2016 08:07:19 GMT https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89467#M43537 kiwi 2016-06-20T08:07:19Z https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89571#M43542 <P>&nbsp;</P> <P>The problem because of NetBIOS probes have <SPAN class="short_text"><SPAN class="">queue</SPAN></SPAN></P> <P>When we disable NetBIOS probes all users have no access after relogon.</P> <P>&nbsp;</P> <P>Than we enable WMI probes the problem of User-ID disapear<BR /> <BR /> for correct user rights for WMI probes we use:&nbsp;&nbsp; wmic /node:(IP address) computersystem<BR /> get username</P> <P>&nbsp;</P> <P>The installation is about 1500 users and 2 User agents.</P> Mon, 20 Jun 2016 11:52:20 GMT https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89571#M43542 MaximAvtonenko 2016-06-20T11:52:20Z https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89806#M43551 <P>First of all the user to IP mapping should be refreshed at user logon. Please make sure that every logon is generating security events on the LDAP servers and the the agent is able to map them,&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Security-Event-IDs-from-Active-Directory-Used-with-User-ID-Agent/ta-p/52448" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Security-Event-IDs-from-Active-Directory-Used-with-User-ID-Agent/ta-p/52448</A></P><P>&nbsp;</P><P>Seems that almost all of your user to ip mapping relies on windows probes which is not ideal, As an alternative method you could enable kerberos SSO in captive portal.</P><P><A href="https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/authentication/configure-kerberos-single-sign-on.html" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/authentication/configure-kerberos-single-sign-on.html</A></P><P>&nbsp;</P><P>regards,</P><P>Gerardo.</P> Mon, 20 Jun 2016 18:01:56 GMT https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/89806#M43551 glastra1 2016-06-20T18:01:56Z https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/167217#M53432 <P><SPAN>Probing is more of an active user mapping to verify a user is still linked to a certain IP address. The LDAP server creates user-to-ip mappings where WMI probing actively verifies a user is still valid. The probing variable can be changed from the default setting to a longer duration so that clients are not probed as often or possibly disable probing altogether. When changing the duration, you may set the timer to half the value of your DHCP renewal timer</SPAN></P><P>&nbsp;</P><P>By Palo Alto technical support</P><P>&nbsp;</P><P>Regards!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 19 Jul 2017 16:53:19 GMT https://live.paloaltonetworks.com/t5/general-topics/reached-max-allowble-probes/m-p/167217#M53432 Matias_Cova 2017-07-19T16:53:19Z