topic Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs in General Topics

Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

willstech — Mon, 17 Jun 2013 00:54:19 GMT

Hi...

i have two PA Boxes(4.1.9) and one User-ID Agent(5.0.4-5)

i've got unknown message from User-ID Agent log.

===== UaDebug Log =====

06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 172.19.73.93, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.201.120.66, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.200.107.46, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.40.29.211, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.200.158.12, list is full with 201 entries, currently probing 40 IPs

=====================

IP address 192.19.73.93 is not my internal address, and IP 10.40.29.211 also located in outside of the PA.

As a note, i don't set a Access Control List in the Palo Alto Networks User-ID Agent(User Identification > Setup > Access Control List).

1. why do i receive many unable to probe IP message?

is it problem of the performance problem of the User-ID Agent?

2. what mean that the message of the unable to probe IP?

3. why the log showing the external IP address in the UaDebug log ?

Please let me know who know of it.

Thanks,

Eugene.

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Retired Member — Mon, 17 Jun 2013 06:16:50 GMT

wmi probing is not successful so you see that logs.

you can disable wmi from agent(or enable wmi and use an account with privilages)

There is an include and exclude list you can configure inside agent.include only LAN network(Access control list is not for that usage.)

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Frries — Thu, 03 Aug 2017 06:16:52 GMT

Sorry i do not understand . Could you let me know how to fix this problem. I am getting the same issue log. Thank you

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

abjain — Thu, 03 Aug 2017 08:42:04 GMT

Probing is a mechanism for firewall to verify if a user is still linked to a certain IP address. The LDAP server creates user-to-ip mappings where WMI probing actively verifies a user is still valid.

If the probing cache gets too full. Firewall has a limit to how many IPs it can probe at a givem point of time.

If the probing interval is too aggressive you have more chances of running into this issue. You can adjust the probing interval to a more appropriate value to avoid this.

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

reaper — Thu, 03 Aug 2017 09:53:46 GMT

Do you have user-id enabled on a zone where users are not located?

(if you go to network > zones , check which zones have 'user id' enabled)

any zones where users are not physically located should not have user-id enabled, as the firewall will request the agent for identification for any source ip it sees coming from a zone where user-id is enabled and it doesn't have a mapping for

so if for example user-id is enabled on the internet zone, the firewall will request authentication for every connection sourced from the internet

if the agent does not have a mapping, it will try a probe to see if it can find information from the host itself

if there are too many probe requests you will see the above issue

there are several solutions:

-disable user-id on inappropriate zones,

-move user-id networks to a different zone/interface from non-user-id networks

-add an ip include/exclude list to the user-id agent,

-disable probing

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

BPry — Thu, 03 Aug 2017 15:03:42 GMT

I ran into a similar issue and it was due to another admin enabling user-id on my DMZ connection so that we could get user-id information from 1 server. What he didn't realize was that all our other DMZ machines aren't tied to the domain , so enabling it on that zone didn't really have any good effects.