source user showing as unknown in traffic monitor

Reply
L1 Bithead

source user showing as unknown in traffic monitor

Found an issue on a customer's firewall.  For some reason, the “source user” becomes unknown while students are using a web application called Istation.  When that happens, the web traffic for that IP address becomes blocked by another policy.  She wrote a specific policy for Istation traffic even if the user is unknown to resolve this issue.   But the real question is….Why is the “source user” blanking out in the middle of using a web application?


Appreciate your thoughts and suggestions.

Thanks

Highlighted
L3 Networker

Re: source user showing as unknown in traffic monitor

I'm fighting a similar issue on my side especially with users on VPN getting the wrong web-filtering policy. I have not seen the 'unknown' source user, its usually just he username on the VPN without the domain (in my case so this is why they get the wrong policy). Support did provide guidance on this for me, perhaps they can do the same for you?

Another thing that just occurred to me, how many user-id agents are you using or are you using the PAN's for the direct lookup?

Highlighted
L1 Bithead

Re: source user showing as unknown in traffic monitor

haven't opened a case yet...we may try to upgrade to at least 6.0.7 and see if that helps. The agent is installed on one server.

Highlighted
L3 Networker

Re: source user showing as unknown in traffic monitor

I would say depending on the size of the environment including AD, I would recommend bumping that number up to maybe two or three. That way if one is not responding or up, you have something to refer to.

Highlighted
L4 Transporter

Re: source user showing as unknown in traffic monitor

A couple of my customers hit similar issue.

Does your firewall run over 388 days?

There is one fixed issue which is bug#64166. (you can find it in 5.0.14 RN or 6.0.4 RN.

Highlighted
L3 Networker

Re: source user showing as unknown in traffic monitor

Sounds like the user is caching out. Nothing to do with the application. I'm assuming these computers are part of the domain since you do pick up the user initially through the user-ID agent. Did you enable "Server session monitoring" in the userID agent? Also is WMI probing enabled and working? Both these mechanisms will help keep the user to IP mappings fresh.

Highlighted
L1 Bithead

Re: source user showing as unknown in traffic monitor

@emr-the box has not been up that long. Thanks

@Quinton- not sure on the session monitoring..I will check. Will also check WMI probing. How would I know if it is working or not?? These are actually wireless users, if that matters.

Thanks!

Highlighted
L3 Networker

Re: source user showing as unknown in traffic monitor

Wireless is no problem. Are these devices part of the Windows domain?

Highlighted
L3 Networker

Re: source user showing as unknown in traffic monitor

Do you use wmi probing?

What do you see with the following command: debug user-id dump probing-stats

If you use probing and it fails three times to get a user from the client, the already mapped user will be deleted for the IP address.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!