Agentless User-ID Does Not Retrieve User-IP Mappings and Connection Failures Appear in System Logs

Printer Friendly Page

Issue

Agentless User-ID (introduced in PAN-OS 5.0) has been configured on a Palo Alto Networks firewall.  The system logs show "Connection failure" messages against the Domain Controller (DC). Pinging the FQDN of the DC verifies that the IP resolution is correct and the pings are successful.

 

Resolution

Check to make sure the username entered on the firewall for the Active Directory admin account matches the case sensitive format defined in AD. This is the account created to enable the firewall to access the event logs in AD.

 

Ensure that the IP address, not FQDN, is entered when configuring the server monitoring. An IP address should be entered into the Network Address field.
Screen Shot 2013-05-08 at 1.34.35 PM.png

 

owner: sjamaluddin

Comments

I got a similar case where the user-ID logs were showing the following messages, and this solution worked on that case:

In the userid.log file I can see the following:

log query for Corsham failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv

This fixed my issue setting up a new PA 3050 on 6.0.9

Why is this not a bug????

The documentation for 6.1.5 says:

Network Address—Enter the IP address or fully qualified domain name (FQDN) of the Exchange or Active Directory server to monitor.

I have been in the habit of using CIDR notation for even host addresses. At least in 6.0.8, this does not work for the Server Monitoring Network Address field. Although it passes validation on commit, it produces entries like this in useridd.log:

 

> less mp-log useridd.log

...

2015-11-23 10:43:50.405 -0700 Error: pan_user_id_get_service_route_obj(pan_user_id_win.c:256): can't get address info for 10.147.240.16/32

2015-11-23 10:58:50.298 -0700 Error: pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for <SERVERNAME> failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (
c0000017) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
...

 

 And connections are not actually attempted.

 

2016-01-31 02:15:32.633 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1289): log query for <server name> failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (00000000) in dcerpc_pipe_connect_ncacn_ip_tcp_recv

 

what is the status (00000000) ??

2017-05-23 13:27:29.090 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for Server failed: [librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (00000000) in dcerpc_p
ipe_connect_ncacn_ip_tcp_recv

 

Can anybody came accros this?