https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6005#M4370 <HTML><HEAD></HEAD><BODY><P>All sorted out.&nbsp; It had no issues with NAT or Routing rules ( was very confusing looking into specially when you 68 NAT rules).&nbsp; What all I did was adding the 172.X.X.X network in the Allow List of the User-ID agent and creating a new sub-interface.</P><P></P><P>Thanks for your concern.</P><P>Regards,</P><P>Kal</P></BODY></HTML> Thu, 02 Feb 2012 10:41:30 GMT kalyanram.piratla 2012-02-02T10:41:30Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6001#M4366 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #0000ff;">Hi Guys,</SPAN></P><P><SPAN style="color: #0000ff;"><BR /></SPAN></P><P><SPAN style="color: #0000ff;">I am just wondering if any one could help me out on this as I am slightly lost creating and troubleshooting for the following issue:</SPAN></P><P><SPAN style="color: #0000ff;"><BR /></SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;"> </SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;">It has been noticed that not all traffic had a user-id and it seems that any traffic originating from a VLAN goes down as “unknown” user.&nbsp; </SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;"> </SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;">So my question is, how can we make the PAN aware of the VLANS so that we can see if the change makes the users visible rather than remaining as unknown.</SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;"> </SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;">Hope this information helps.&nbsp; Looking forward to hear from you guys.</SPAN></P><P></P><P><SPAN style="color: #0000ff;">Many Thanks...</SPAN></P><P><SPAN style="color: #0000ff;">Kal</SPAN></P></BODY></HTML> Mon, 23 Jan 2012 15:16:46 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6001#M4366 kalyanram.piratla 2012-01-23T15:16:46Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6002#M4367 <HTML><HEAD></HEAD><BODY><P>To add to this, traffic originating from 172.22.10.0/24 network on a vlan has no access to the internet as well.&nbsp; Looking at the traffic logs, it shows application as "incomplete".&nbsp; As far as I understand, incomplete traffic is when the 3-way handshake is not completed.&nbsp; </P><P></P><P>What has to be done to enable the completion of the 3-hand shake?</P><P></P><P>Thank you</P><P>Kal</P></BODY></HTML> Mon, 23 Jan 2012 15:20:15 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6002#M4367 kalyanram.piratla 2012-01-23T15:20:15Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6003#M4368 <HTML><HEAD></HEAD><BODY><P>For Issue#1;</P><P>Please check "user identification" is enabled on the zones which are associated to those VLANs.</P><P></P><P>For Issue#2;</P><P>You need to check Routing and NAT rules to make sure whether it is done properly.</P><P></P><P>If config on either issues looks fine, you can contact support.</P></BODY></HTML> Tue, 24 Jan 2012 04:47:42 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6003#M4368 snisar 2012-01-24T04:47:42Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6004#M4369 <HTML><HEAD></HEAD><BODY><P>Hi Snisar,</P><P></P><P>Thanks for the information.&nbsp; User-Identification has been checked for all the required zones.&nbsp; I think there is something wrong the way I have configured the NAT and Security rule.&nbsp; Will look into it shortly.</P><P></P><P>I will be looking into changing the route and NAT policy that is in place.&nbsp; What is confusing me is would this require configuring a Layer 2 network again for any specific physical interface?&nbsp; I was thinking on this because, I have gone through a document which helps configuring a Layer 2 to Layer 3 on the PAN Device.</P><P></P><P>Any thoughts?</P><P></P><P>Kind Regards,</P><P>Kal</P></BODY></HTML> Tue, 24 Jan 2012 09:34:32 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6004#M4369 kalyanram.piratla 2012-01-24T09:34:32Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6005#M4370 <HTML><HEAD></HEAD><BODY><P>All sorted out.&nbsp; It had no issues with NAT or Routing rules ( was very confusing looking into specially when you 68 NAT rules).&nbsp; What all I did was adding the 172.X.X.X network in the Allow List of the User-ID agent and creating a new sub-interface.</P><P></P><P>Thanks for your concern.</P><P>Regards,</P><P>Kal</P></BODY></HTML> Thu, 02 Feb 2012 10:41:30 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-for-vlan-traffic/m-p/6005#M4370 kalyanram.piratla 2012-02-02T10:41:30Z