Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Reply
L3 Networker

Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Hi...

i have two PA Boxes(4.1.9) and one User-ID Agent(5.0.4-5)

i've got unknown message from User-ID Agent log.

===== UaDebug Log =====

06/17/13 08:57:50:139[Debug  911]: Unable to probe IP 172.19.73.93, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug  911]: Unable to probe IP 10.201.120.66, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug  911]: Unable to probe IP 10.200.107.46, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug  911]: Unable to probe IP 10.40.29.211, list is full with 201 entries, currently probing 40 IPs

06/17/13 08:57:50:139[Debug  911]: Unable to probe IP 10.200.158.12, list is full with 201 entries, currently probing 40 IPs

=====================

IP address 192.19.73.93 is not my internal address, and IP 10.40.29.211 also located in outside of the PA.

As a note, i don't set a Access Control List in the Palo Alto Networks User-ID Agent(User Identification > Setup > Access Control List).

1. why do i receive many unable to probe IP message?

    is it problem of the performance problem of the User-ID Agent?

2. what mean that the message of the unable to probe IP?

3. why the log showing the external IP address in the UaDebug log ?

Please let me know who know of it.

Thanks,

Eugene.

L6 Presenter

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

wmi probing is not successful so you see that logs.

you can disable wmi from agent(or enable wmi and use an account with privilages)

There is an include and exclude list you can configure inside agent.include only LAN network(Access control list is not for that usage.)

L1 Bithead

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Sorry i do not understand . Could you let me know how to fix this problem. I am getting the same issue log. Thank you
Highlighted
L4 Transporter

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Probing is a mechanism for firewall to verify if a user is still linked to a certain IP address. The LDAP server creates user-to-ip mappings where WMI probing actively verifies a user is still valid. 

 

If the probing cache gets too full. Firewall has a limit to how many IPs it can probe at a givem point of time.

 

If the probing interval is too aggressive you have more chances of running into this issue. You can adjust the probing interval to a more appropriate value to avoid this. 

L7 Applicator

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

Do you have user-id enabled on a zone where users are not located?

 

(if you go to network > zones , check which zones have 'user id' enabled)

 

any zones where users are not physically located should not have user-id enabled, as the firewall will request the agent for identification for any source ip it sees coming from a zone where user-id is enabled and it doesn't have  a mapping for

so if for example user-id is enabled on the internet zone, the firewall will request authentication for every connection sourced from the internet

if the agent does not have a mapping, it will try a probe to see if it can find information from the host itself

 

if there are too many probe requests you will see the above issue

 

 

there are several solutions:

-disable user-id on inappropriate zones,

-move user-id networks to a different zone/interface from non-user-id networks

-add an ip include/exclude list to the user-id agent,

-disable probing

L7 Applicator

Re: Unable to probe IP x.x.x.x, list is full with 201 entries, currently probing 40 IPs

I ran into a similar issue and it was due to another admin enabling user-id on my DMZ connection so that we could get user-id information from 1 server. What he didn't realize was that all our other DMZ machines aren't tied to the domain , so enabling it on that zone didn't really have any good effects. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!