Agentless User-ID "Not Connected"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Agentless User-ID "Not Connected"

L4 Transporter

PAN-OS 8.0.9

Server 2008-R2

 

I am in the process of investigating the setup of User-ID, utilising our test network which has a VM500

 

I am starting using the Agentless option. ( The production site has 500 users, mostly Citrix Terminal Sessions but also Some PC's so I guess I will also need the TS agent further down the line.)

 

I have done the three basic steps that seem to be outlined in every guide

 

Create service account with Domain Admin privs.

In user mapping server monitorig Discovered the DC's...

added the WMI Authentication Creds on agent setup.

Committed...

 

But all i get is "Status [Not Connected]"

 

Can't seem to find any info on why it's nto working?

 

 

 

 

 

4 REPLIES 4

L7 Applicator

By default the user id will try to connect to the server via management port. If this is an issue then change it in device/setup/services

 

there are other rasons but start with this one as it caught me out...

 

*reasons not rasons lol.

Cyber Elite
Cyber Elite

you can use tcpdump in the CLI and filter for your AD to see if packets are going out and being replied to properly

 

(view by > view-pcap mgmt-pcap mgmt.pcap )

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Well the PCAP did not give much joy, although it did show some "ICMP unreachable" to the server...

 

The server Pinged fine on the CLI by "ShortDN" and "FQDN"

 

 

HunchTime.....

 

So althoug I could ping from the management interface, there seemed to be some issue with the Management Plane making some connection via DNS entry..

 

I added another server in the list but specified it by IP rather than DNS name... Committed , Connected!

 

No idea if the production environment will have the same issue but at least I have a workarround..

 

Cheers

 

Rob

 

 

ok nice one...

 

why dont you just modify the original server entry to "IP Address" just to make sure its nothing else in that server config causing the issue.

 

also add fqdn to second entry...  just for dns test purpose

  • 1774 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!