https://live.paloaltonetworks.com/t5/general-topics/palo-alto-mapping-problem-adding-new-groups/m-p/150823#M50026 <P>Hi,</P><P>&nbsp;</P><P>we have a PA3050 and we are expecting a problem related to Group mapping. We have added two new groups in LDAP Group mapping profile. We can add these 2 groups using WebUIS "Included groups", we launch a refresh userid group-mapping but when we run "show user group-mapping state all", we can see all goups but not the new ones added.</P><P>&nbsp;</P><P>Why Pa is not detecting the new groups added. We see this error in system logs "PA fetch group LDAP" but PA can connect to LDAP properly.</P><P>&nbsp;</P><P>Its version 7.0.11, any bug related to this?</P> Mon, 03 Apr 2017 11:17:56 GMT Es_tecsupportsecurity 2017-04-03T11:17:56Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-mapping-problem-adding-new-groups/m-p/150823#M50026 <P>Hi,</P><P>&nbsp;</P><P>we have a PA3050 and we are expecting a problem related to Group mapping. We have added two new groups in LDAP Group mapping profile. We can add these 2 groups using WebUIS "Included groups", we launch a refresh userid group-mapping but when we run "show user group-mapping state all", we can see all goups but not the new ones added.</P><P>&nbsp;</P><P>Why Pa is not detecting the new groups added. We see this error in system logs "PA fetch group LDAP" but PA can connect to LDAP properly.</P><P>&nbsp;</P><P>Its version 7.0.11, any bug related to this?</P> Mon, 03 Apr 2017 11:17:56 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-mapping-problem-adding-new-groups/m-p/150823#M50026 Es_tecsupportsecurity 2017-04-03T11:17:56Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-mapping-problem-adding-new-groups/m-p/150901#M50042 <P>Hi,</P><P>&nbsp;</P><P>Not necessarily a bug; could be something in the configuration or whatnot.</P><P>&nbsp;</P><P>Do one thing, take a pcap on the MGMT interface (unless some other interface is being used for LDAP).</P><P>1) Open a CLI session to the firewall&nbsp;</P><P><SPAN>admin@anuragFW&gt;&nbsp;</SPAN>tcpdump</P><P>&nbsp;</P><P>2) Open another CLI session to the firewall</P><P><SPAN>admin@anuragFW&gt;</SPAN>&nbsp;debug user-id refresh group-mapping all</P><P>&nbsp;</P><P>3) verify that the last action time shows a fresh time count:</P><P>admin@anuragFW&gt; show user group-mapping state ourgroups</P><P><BR />Group Mapping((null), type: active-directory): ourgroups<BR />Bind DN : anurag@xxxx.xxx<BR />Base : DC=xxxxx,DC=xxx<BR />Group Filter: (None)<BR />User Filter: (None)<BR />Servers : configured 1 servers<BR />10.21.56.14(389)<BR /><STRONG>Last Action Time: 1 secs ago(took 0 secs)</STRONG><BR />Next Action Time: In 3599 secs</P><P>&nbsp;</P><P>4) Stop the tcpdump by pressing Ctrl+C</P><P>&nbsp;</P><P>5) Transfer the pcap for easy viewing:</P><P>admin@anuragFW&gt; tftp export mgmt-pcap from mgmt.pcap to x.x.x.x</P><P>&nbsp;</P><P>Now, filter for the LDAP server and check what we are receiving from the LDAP server that's causing the error in the system logs.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Apr 2017 18:55:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-mapping-problem-adding-new-groups/m-p/150901#M50042 ansharma 2017-04-03T18:55:14Z