User-ID Agent for Active Directory won't transfer mappings

L1 Bithead

User-ID Agent for Active Directory won't transfer mappings


I have a new PA500 (running 4.0.4)  that I've set up and am now trying to tie to Active Directory in order to create user-based policies.  I have everything configured to my knowledge, but I'm not getting any user-IP mappings on the firewall.

I installed what I believe to be the latest AD agent, 3.1.2 (filename PanAgent-3.1.2.msi), on my server and configured it as follows (using made-up IP addresses and domains for this example):

Domain Name:

Port Number: 31200

Domain Controller Address:

Allow List:

Filter Group: mydomain\users

I am able to successfully view the user-ip mappings and groups through the configuration program.

I have also configured the agent settings on the PA500 as follows:

Agent Type: userid-agent

Name: userid-AD

IP Address:

Port: 31200

Furthermore, I've enabled the agent on the trusted zone through the following settings:

Enable User Identification: Yes

Include List: addr-localnet (

I believe that this is all I have to do to get the user-IP mappings to work but I am not seeing any such mappings on the firewall.  If I consult the PA500's logs I find:

UserID connected to agent userid-AD( version 3, initiated by


Pan-Agent connected: IP port 31200, initiated by

However, if I consult the agent's logs on the server I find it filled with the following error:

New Connection(<port>) Socket(<socket>)
SSL read error in pan_host_agent_rcv_data -2-16-0
Connection(1) is closed!

If I run show user userid-agent statistics on the CLI I get an output like follows:

Server: userid-AD(vsys: vsys1) Address:
        Connection                                        : Not Connected
        Version                                           : <Unknown>
        number of connection tried                        : 5295
        number of connection succeeded                    : 5224
        number of connection failed                       : 71
        number of user ip mapping messages received       : 0
        number of user ip mapping add entries received    : 0
        number of user ip mapping del entries received    : 0
        number of ip msgs rcvd but failed to process      : 0
        number of status messages received                : 0
        number of request of ip mapping messages sent     : 0
        number of request of all ip mapping messages sent : 0
        number of request of status messages sent         : 0

I'm at a loss here and hope that this is enough information for somebody to help me out.  Does anybody have any ideas on why my mappings aren't working?  I don't know whether this is applicable at all, but my Web GUI gives me a certificate error when I attempt to access it.

Thanks for any help you can provide.

L6 Presenter

Re: User-ID Agent for Active Directory won't transfer mappings

Agent type on the PAN configuration should be pan agent as opposed to userid-agent. Change it and commit and you should see the PAN communicate successfully. Userid-agent is for eDir whereas pan-agent is for AD environment.

L1 Bithead

Re: User-ID Agent for Active Directory won't transfer mappings

Well, that was simple.  Thanks for the help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!