I opened a case in this regard, but in the meantime I would like to know if anyone has the same problem as me.
-I'm using version 4.1.8 of PA, the PA-2050 appliance.
-User ID agent v.220.127.116.11 is use for authen users.
- ad windows, on server 2008, for LDAP.
I regularly lose the link between a user and the group associated with that user.
Result: I have several rules that give special access, for example, social networks or personal web storage. At the beginning, when creating the rule, it works, but after about a week they stop working.
The user is authenticated, in the "MONITOR" I can see the user in the USER column. But I still see a bad rule that is applied to that person. This is the last rule is applied, which provides access to the Internet by default.
When this happens, here's what I see in the CLI:
- Show user group name domain \ group-1
 domain \ user01
 domain \ user02
Then I demand groups that are associated with the user "user02" and I get no group.
show user-IDs match user-user domain \ user02:
User Name VSYS Groups
When it works, the CLI command "show user-IDs match user-user" returns me the right groups associated with the user.
Solved! Go to Solution.
We have the same problem here, It happens from time to time without a clear pattern. We have opened a case but the support engineers couldn't reproduce the issue. You could try to use the user id-agent as a ldap proxy.
Same here, we're also running 4.1.8 (on a PA-5050 cluster). In my case it seems to happen most after we add or remove groups from the Include group list in the user identification config on the PA.
The only way to get it running again is to execute "debug software restart user-id" on the CLI
We also tried using the User-ID agent as a proxy but it made no difference for us
How are you doing?
This has been a known issue on 4.1.8. Engineering worked on it and proposed a fix in 4.1.9. If you see this problem on 4.1.8 what you can do is go to user identification and delete the group-mapping and do a commit and then re add the group-mapping and commit again and the issue will go away.
4.1.9 is showing as being avail on my system now. Has anyone tried it?
The list of fixes is rather large and looks to address specifically the problems that we have had.
Experienced same issues here. 4.1.8H3 resolved the group issue for us. Have not tried 4.1.9 yet as hotfix 3 got us going again.
I have finaly do what you say, i have remove group mapping, commit, create a new GM and commit, all working good for now.
This weekend i will upgrade to 4.1.9, to see if that resolv completly the problem or if its return.
I will add somes comment here if i got the problem back or not.
I Had a similar issue and turning on the ldap proxy option on the client seemed to fix it for me. that've since upgraded to 5 and have yet to have an issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!