SSL Connection Fails Between User-ID Agent and the Palo Alto Networks Firewall

Printer Friendly Page

Issue

User-ID agent is unable to send User-to-IP mappings to the firewall even though it's connected to the firewall.

 

Symptoms

  • Connection between agent and firewall is working properly

> show user user-id-agent statistics

Name            Host            Port  Vsys    State            Ver Usage

---------------------------------------------------------------------------

userid          172.17.132.52  25555 vsys1  conn:idle        5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

 

  • Counters for IP mapping messages sent and received remain at zero

> show user user-id-agent state all

Agent: userid(vsys: vsys1) Host: 172.17.132.52(172.17.132.52):25555

        Status                                            : conn:idle(Connected to 172.17.132.52(source: 255.255.255.255))

        Version                                          : 0x5

        num of connection tried                          : 36

        num of connection succeeded                      : 4

        num of connection failed                          : 32

        num of status msgs rcvd                          : 50495

        num of request of status msgs sent                : 50495

        num of request of ip mapping msgs sent            : 0

        num of request of new ip mapping msgs sent        : 0

        num of request of all ip mapping msgs sent        : 0

        num of user ip mapping msgs rcvd                  : 0

        num of ip msgs rcvd but failed to proc            : 0

        num of user ip mapping add entries rcvd          : 33

        num of user ip mapping del entries rcvd          : 16

        num of request of group msgs sent                : 0

        num of group msgs rcvd                            : 0

        num of group msgs recvd buf fail to proc          : 0

        Last heard(seconds ago)                          : 1

 

  • User-ID logs indicate SSL problems with the connection (Connection between agent and firewall is always encrypted in an SSL tunn

> less mp-log useridd.log

Jun 22 13:52:21 Error: pan_ssl_readn_nowait(pan_ssl_utils.c:536): SSL :error:00000000:lib(0):func(0):reason(0)

Jun 22 13:52:21 Error: pan_user_id_msg_readin(pan_user_id_msg.c:961): pan_user_id_ssl_readn_nowait() failed.

Jun 22 13:52:21 Error: pan_user_id_agent_msgs_recv(pan_user_id_agent_msgs.c:180): pan_user_id_msg_readin() failed: ERR_SOCKET_FAIL

Jun 22 13:52:21 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:1347): pan_user_id_agent_msgs_recv() failed

Jun 22 13:52:21 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:452): pan_user_id_agent_send_and_recv_msgs() failed for AD01(4)

 

Resolution

  • Reset the connection between the User ID agent and the firewall

> debug user-id reset user-id-agent <userid/ all>

  • Restart the userid daemon itself

> debug software restart user-id

 

owner: kadak

Tags (4)
Comments

When you see below output for User ID agent not connected to firewall,

 

> show user user-id-agent state all

 

Agent: userid(vsys: vsys1) Host: 10.12.34.29:5007

        Status                                            : not-conn:idle(Error: Failed to Connect to 10.12.34.29(source: 10.12.96.14). SSL error:....)

 

useridd.log

2016-01-07 14:20:43.471 -0800 Error: __pan_print_msg(pan_sys.c:976): Failed to connect to 10.12.34.29(5007): Internal Error2016-01-07 14:20:43.471 -0800 Error: pan_ssl_conn_open(pan_ssl_utils.c:383): pan_tcp_sock_open() failed
2016-01-07 14:20:48.170 -0800 Error: __pan_print_msg(pan_sys.c:976): Failed to connect to 10.12.34.29(10.12.34.29):50072016-01-07 14:20:48.170 -0800 Error: __pan_print_msg(pan_sys.c:976): Failed to connect to 10.12.34.29(5007): Internal Error2016-01-07 14:20:48.170 -0800 Error: pan_ssl_conn_open(pan_ssl_utils.c:383): pan_tcp_sock_open() failed

 

Solution:

 

1. Check and confirm below logs in UaDebug logs on User ID Agent itself,

 

 01/07/16 15:09:26:317[ Info  866]: New connection 10.12.96.14 : 41235 is denied by access control list.

 

2. Include this ip address in Allow list in Access Control List of User ID Agent. Make sure include this ip in both filed 'From IP Address' and 'To IP Addresses'. with action as 'Allow specific clients'. 

 

3. Also move this allow list above block list added in ACL of UID, since it is processed from top to bottom.

 

4. Commit on User ID Agent.

im having this error, anyone ever saw?

 

(source: 10.129.100.91), SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed(5) 2017-11-09 15:20:02.190 +0800 Error: pan_ssl_conn_open(pan_ssl_utils.c:732):
2017-11-09 15:20:03.217 +0800 Error: __pan_print_msg(pan_sys.c:1165): Failed to Connect to xx.xx.xx.xx(source: 10.129.100.91), SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed(5) 2017-11-09 15:20:03.217 +0800 Error: pan_ssl_conn_open(pan_ssl_utils.c:732):

@TimmyLamar I'm receiving the same error - did you receive a fix?

@scottyfresh my issue resolved by updating the user ID agent version that communicate with AD.

 

because the old FW is 3000 series, and new FW is 820, so the minimum requirement of the OS 8 user id agent is the latest user ID agent.

 

reboot the FW, and all issue solved.