Found an issue on a customer's firewall. For some reason, the “source user” becomes unknown while students are using a web application called Istation. When that happens, the web traffic for that IP address becomes blocked by another policy. She wrote a specific policy for Istation traffic even if the user is unknown to resolve this issue. But the real question is….Why is the “source user” blanking out in the middle of using a web application?
Appreciate your thoughts and suggestions.
I'm fighting a similar issue on my side especially with users on VPN getting the wrong web-filtering policy. I have not seen the 'unknown' source user, its usually just he username on the VPN without the domain (in my case so this is why they get the wrong policy). Support did provide guidance on this for me, perhaps they can do the same for you?
Another thing that just occurred to me, how many user-id agents are you using or are you using the PAN's for the direct lookup?
haven't opened a case yet...we may try to upgrade to at least 6.0.7 and see if that helps. The agent is installed on one server.
I would say depending on the size of the environment including AD, I would recommend bumping that number up to maybe two or three. That way if one is not responding or up, you have something to refer to.
A couple of my customers hit similar issue.
Does your firewall run over 388 days?
There is one fixed issue which is bug#64166. (you can find it in 5.0.14 RN or 6.0.4 RN.
Sounds like the user is caching out. Nothing to do with the application. I'm assuming these computers are part of the domain since you do pick up the user initially through the user-ID agent. Did you enable "Server session monitoring" in the userID agent? Also is WMI probing enabled and working? Both these mechanisms will help keep the user to IP mappings fresh.
@emr-the box has not been up that long. Thanks
@Quinton- not sure on the session monitoring..I will check. Will also check WMI probing. How would I know if it is working or not?? These are actually wireless users, if that matters.
Do you use wmi probing?
What do you see with the following command: debug user-id dump probing-stats
If you use probing and it fails three times to get a user from the client, the already mapped user will be deleted for the IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!