https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1098#M855 <HTML><HEAD></HEAD><BODY><P>While I don't know exactly why this is happening, there have been a great deal of fixes to various User-ID issues between 5.0.2 and 5.0.9. Some of the changes were indeed regarding ip-to-user mappings not displaying in logs, so it might be worth upgrading to 5.0.9 to see if the issue is resolved before going with a support ticket.</P><P></P><P>That said, you can also turn on debugging in the user ID process and tail the log. When the mapping starts to show up blank, turn off debugging and parse through the log to see what may be happening.</P><P></P><P>Turn on the debug:</P><P>&gt; debug user-id on debug</P><P></P><P>Turn off the debug:</P><P>&gt; debug user-id on info</P><P></P><P>Parse through the log (uses standard linux "less" navigation):</P><P>&gt; less mp-log useridd.log</P><P></P><P>That may help explain what is going on when the mapping stops to display.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Wed, 11 Dec 2013 17:10:58 GMT gwesson 2013-12-11T17:10:58Z https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1097#M854 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We have a customer who is using <STRONG>PA-3020 in L3 A/P cluster, running PanOS 5.0.2</STRONG>.</P><P></P><P>We have set up <STRONG>User-ID with PanAgent services</STRONG> (Primary and Secondary) installed on two different servers members of the domain.</P><P></P><P>User-ID is configured to be based on :</P><P></P><P>- Security logs</P><P>- Sessions</P><P>- Probing</P><P></P><P>On 4 different servers :</P><P></P><P>- 2 AD servers</P><P>- 2 Exchange servers</P><P></P><P>The User-ID agents and the monitored servers are all <STRONG>well connected</STRONG>, and there is<STRONG> nothing wrong in the system logs regarding User-ID</STRONG>.</P><P></P><P>Most of the time, all is working fine : users are well identified and thus the proper rules are applied (based on user groups).</P><P></P><P>However, it seems that sometimes the User-ID just stops, and the users are no more identified. Indeed, we can see in the traffic log monitoring that the <EM><STRONG>Source User</STRONG></EM> field is empty. As a result, the applied rule is not the right one and the URL Filtering profile that is applied is not the expected one.</P><P></P><P>The customer is obviously complaining about this and I don't really know how to figure out what's wrong with this User-ID...</P><P></P><P>You can see on the following prinscreen that the Source User field is suddenly empty, and starting this point, the matched rule is of course not the same.</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10226_pastedImage_2.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>The user-ID agents are connected as you can see</P><P><IMG alt="" class="jiveImage" style="max-width: 1200px; max-height: 900px;" /></P><P><IMG __jive_id="10224" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10224_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>And the monitored servers as well</P><P><IMG __jive_id="10223" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10223_pastedImage_8.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P></P><P></P><P>Finally, <STRONG>the User-ID restarts after just 1 hour</STRONG></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/10225_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P></P><P>How can I monitor the User-ID and ensure that this won't occur again ?</P><P></P><P>Or maybe this is a bug ?</P><P></P><P>Kind Regards,</P><P></P><P>Laurent</P></BODY></HTML> Wed, 11 Dec 2013 09:45:42 GMT https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1097#M854 ldormond 2013-12-11T09:45:42Z https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1098#M855 <HTML><HEAD></HEAD><BODY><P>While I don't know exactly why this is happening, there have been a great deal of fixes to various User-ID issues between 5.0.2 and 5.0.9. Some of the changes were indeed regarding ip-to-user mappings not displaying in logs, so it might be worth upgrading to 5.0.9 to see if the issue is resolved before going with a support ticket.</P><P></P><P>That said, you can also turn on debugging in the user ID process and tail the log. When the mapping starts to show up blank, turn off debugging and parse through the log to see what may be happening.</P><P></P><P>Turn on the debug:</P><P>&gt; debug user-id on debug</P><P></P><P>Turn off the debug:</P><P>&gt; debug user-id on info</P><P></P><P>Parse through the log (uses standard linux "less" navigation):</P><P>&gt; less mp-log useridd.log</P><P></P><P>That may help explain what is going on when the mapping stops to display.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Wed, 11 Dec 2013 17:10:58 GMT https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1098#M855 gwesson 2013-12-11T17:10:58Z https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1099#M856 <HTML><HEAD></HEAD><BODY><P>Hi Greg,</P><P></P><P>Thanks for these helpful advices.</P><P></P><P>I will first try the debug procedure you suggested (I only have PaloAlto ACE certification, also I don't know about troubleshooting tips).</P><P></P><P>Then I will suggest the customer to perform an upgrade to last 5.0.9 release.</P><P></P><P>Regards,</P><P></P><P>Laurent</P></BODY></HTML> Thu, 12 Dec 2013 13:53:28 GMT https://live.paloaltonetworks.com/t5/general-topics/why-does-user-id-suddenly-stops/m-p/1099#M856 ldormond 2013-12-12T13:53:28Z