topic Re: connect-server-monitor-failure in General Topics

connect-server-monitor-failure

MikeC — Thu, 10 Jan 2019 01:41:15 GMT

Has anyone experienced numerous of these "connect-server-monitor-failure" alerts when using agentless user ID?

I have 20+ firewalls using a few specific domain controllers to get user ID info, but these alerts are constantly, 100's an hour.

It seems to be related to WMI memory error, but I've already increased the wmi memory, described in this article

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltXCAS

DCs are Win2k8 R2

Re: connect-server-monitor-failure

reaper — Thu, 10 Jan 2019 13:42:12 GMT

If you have so many firewalls polling only a handful AD servers, it's probably better to install agents on the AD (or one or more servers near the AD) and have the firewalls poll the agents instead, this will dramatically cut down on all the WMI probes you'll need to do

Re: connect-server-monitor-failure

MikeC — Thu, 10 Jan 2019 16:40:58 GMT

I agree, but I don't find 20 firewalls to be a lot. Is this too much for agentless user-ID?

Re: connect-server-monitor-failure

reaper — Thu, 10 Jan 2019 17:14:01 GMT

You'd need to investigate logs on your ADs to make sure but it sounds like some of the WMI arentimjngnout which could be a sign that the AD are not keeping up with the amount of requests coming from the firewalls

If the volume is unusually high you could also look into why this is: maybe a zone that does not have mapped IPs does have user-id enabled which will trigger a query for each unidentified IP (user-id only needs to be enabled on the 'source' zone of the identified users)

Re: connect-server-monitor-failure

MikeC — Thu, 10 Jan 2019 17:45:43 GMT

@reaper wrote:
You'd need to investigate logs on your ADs to make sure but it sounds like some of the WMI arentimjngnout which could be a sign that the AD are not keeping up with the amount of requests coming from the firewalls

If the volume is unusually high you could also look into why this is: maybe a zone that does not have mapped IPs does have user-id enabled which will trigger a query for each unidentified IP (user-id only needs to be enabled on the 'source' zone of the identified users)

I think you may be on to something here, even though I keep being told no. There is only 1 Trust zone on most of the firewalls, but there a few subnets where a user will never map. I think it can benefit from those subnets being excluded

Re: connect-server-monitor-failure

reaper — Thu, 10 Jan 2019 19:05:11 GMT

That sounds like the perfect place to start!

Re: connect-server-monitor-failure

codyweber54 — Mon, 05 Aug 2019 18:37:13 GMT

I know this is a fairly old thread but curious if your investigation turned up any findings with regard to this zone enablement issue? We're having a similar issue and looking for solutions.

Re: connect-server-monitor-failure

MikeC — Mon, 05 Aug 2019 18:43:05 GMT

@codyweber54 I decided to use the Windows User-ID agent instead. No more issues, since switching to that