i have two PA Boxes(4.1.9) and one User-ID Agent(5.0.4-5)
i've got unknown message from User-ID Agent log.
===== UaDebug Log =====
06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 172.19.73.93, list is full with 201 entries, currently probing 40 IPs
06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.201.120.66, list is full with 201 entries, currently probing 40 IPs
06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.200.107.46, list is full with 201 entries, currently probing 40 IPs
06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.40.29.211, list is full with 201 entries, currently probing 40 IPs
06/17/13 08:57:50:139[Debug 911]: Unable to probe IP 10.200.158.12, list is full with 201 entries, currently probing 40 IPs
IP address 126.96.36.199 is not my internal address, and IP 10.40.29.211 also located in outside of the PA.
As a note, i don't set a Access Control List in the Palo Alto Networks User-ID Agent(User Identification > Setup > Access Control List).
1. why do i receive many unable to probe IP message?
is it problem of the performance problem of the User-ID Agent?
2. what mean that the message of the unable to probe IP?
3. why the log showing the external IP address in the UaDebug log ?
Please let me know who know of it.
wmi probing is not successful so you see that logs.
you can disable wmi from agent(or enable wmi and use an account with privilages)
There is an include and exclude list you can configure inside agent.include only LAN network(Access control list is not for that usage.)
Probing is a mechanism for firewall to verify if a user is still linked to a certain IP address. The LDAP server creates user-to-ip mappings where WMI probing actively verifies a user is still valid.
If the probing cache gets too full. Firewall has a limit to how many IPs it can probe at a givem point of time.
If the probing interval is too aggressive you have more chances of running into this issue. You can adjust the probing interval to a more appropriate value to avoid this.
Do you have user-id enabled on a zone where users are not located?
(if you go to network > zones , check which zones have 'user id' enabled)
any zones where users are not physically located should not have user-id enabled, as the firewall will request the agent for identification for any source ip it sees coming from a zone where user-id is enabled and it doesn't have a mapping for
so if for example user-id is enabled on the internet zone, the firewall will request authentication for every connection sourced from the internet
if the agent does not have a mapping, it will try a probe to see if it can find information from the host itself
if there are too many probe requests you will see the above issue
there are several solutions:
-disable user-id on inappropriate zones,
-move user-id networks to a different zone/interface from non-user-id networks
-add an ip include/exclude list to the user-id agent,
I ran into a similar issue and it was due to another admin enabling user-id on my DMZ connection so that we could get user-id information from 1 server. What he didn't realize was that all our other DMZ machines aren't tied to the domain , so enabling it on that zone didn't really have any good effects.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!