User-ID agent and SSL Error

Reply
L1 Bithead

User-ID agent and SSL Error

I have been getting a ton of email alerts with issues with user-id agent and ssl connection errors even though the status is "green" showing "connected." I have verified the cert is valid and it is a self signed cert valid until Feb 2019. I have performed the steps in the following articles to no avail:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbiCAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleaCAC

 

Any ideas or suggestions from the community?

L7 Applicator

Re: User-ID agent and SSL Error

@mmcwethy1,

Does it ever function without issues, or do you immediately see SSL issues? Have you verified that the connection between the Firewall and User-ID agent is stable? What PAN-OS version on the firewall and what User-ID Agent version are you running? 

L1 Bithead

Re: User-ID agent and SSL Error

Thanks for the reply. It seems to be working intermittently. The connection is stable and the versions are as follows:

 

PAN-OS: 7.1.15

User-ID Agent: v8.0.11-12

 

Ironically enough, I believe a manager recently updated the User-ID agent portion and I think that is when the issue presented itself. Is the issue caused by a mismatch or compatibility issue between the PAN-OS and the User-ID agent? I am new to the Palo Alto side so I am still learing the software and firewalls.

L7 Applicator

Re: User-ID agent and SSL Error

@mmcwethy1,

The User-ID agent would be compatable with that version of PAN-OS, I'm also not aware of any user-id specific fixes between the current 7.1.20 and 7.1.15. If you look at the useridd.log what exactly is the error indicated within that log file? 

L1 Bithead

Re: User-ID agent and SSL Error

Here are some of the failures..

 

Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:2084): pan_user_msgs_recv() failed
2018-10-09 11:21:39.483 -0500 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:567): pan_user_id_agent_send_and_recv_msgs() failed for paloaltoua2(1)
2018-10-09 11:21:42.309 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:21:43.309 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 66, disable rate limiting for paloaltoua
2018-10-09 11:21:45.542 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:740): Error: Failed to Connect to 10.200.23.48(source: 10.253.0.50), SSL error: error:00000000:lib(0):func(0):reason(0)(5)
2018-10-09 11:21:50.861 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:21:53.333 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:21:54.323 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 67, disable rate limiting for paloaltoua
2018-10-09 11:21:54.458 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:21:55.334 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 71, disable rate limiting for paloaltoua
2018-10-09 11:21:55.802 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:00.261 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:04.336 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:22:05.191 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 67, disable rate limiting for paloaltoua
2018-10-09 11:22:05.191 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:10.641 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:15.340 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:22:15.561 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:16.340 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 71, disable rate limiting for paloaltoua
2018-10-09 11:22:20.412 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:25.112 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:26.363 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for paloaltoua
2018-10-09 11:22:27.363 -0500 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 65, disable rate limiting for paloaltoua
2018-10-09 11:22:30.231 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115
2018-10-09 11:22:35.472 -0500 Error: pan_ssl_conn_open(pan_ssl_utils.c:656): pan_tcp_sock_open() failed; errno=115

L1 Bithead

Re: User-ID agent and SSL Error

Updated the UA to the most recent version released a few days ago and problem solved. Apparently it was a bug in the version we were running.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!