Agentless User-ID Does Not Retrieve User-IP Mappings and Connection Failures Appear in System Logs

Agentless User-ID (introduced in PAN-OS 5.0) has been configured on a Palo Alto Networks firewall.  The system logs show "Connection failure" messages against the Domain Controller (DC). Pinging the FQDN of the DC verifies that the IP resolution is correct and the pings are successful.



Check to make sure the username entered on the firewall for the Active Directory admin account matches the case sensitive format defined in AD. This is the account created to enable the firewall to access the event logs in AD.


Ensure that the IP address, not FQDN, is entered when configuring the server monitoring. An IP address should be entered into the Network Address field.
I got a similar case where the user-ID logs were showing the following messages, and this solution worked on that case:

In the userid.log file I can see the following:

log query for Corsham failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv

This fixed my issue setting up a new PA 3050 on 6.0.9

Why is this not a bug????

The documentation for 6.1.5 says:

Network Address—Enter the IP address or fully qualified domain name (FQDN) of the Exchange or Active Directory server to monitor.

I have been in the habit of using CIDR notation for even host addresses. At least in 6.0.8, this does not work for the Server Monitoring Network Address field. Although it passes validation on commit, it produces entries like this in useridd.log:


> less mp-log useridd.log


2015-11-23 10:43:50.405 -0700 Error: pan_user_id_get_service_route_obj(pan_user_id_win.c:256): can't get address info for

2015-11-23 10:58:50.298 -0700 Error: pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for <SERVERNAME> failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (
c0000017) in dcerpc_pipe_connect_ncacn_ip_tcp_recv


 And connections are not actually attempted.


2016-01-31 02:15:32.633 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1289): log query for <server name> failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (00000000) in dcerpc_pipe_connect_ncacn_ip_tcp_recv


what is the status (00000000) ??

2017-05-23 13:27:29.090 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for Server failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (00000000) in dcerpc_p


Can anybody came accros this?