This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Agentless User-ID "Not Connected"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agentless User-ID "Not Connected"

RobinClayton
L4 Transporter

‎08-09-2018 08:00 AM

PAN-OS 8.0.9

Server 2008-R2

 

I am in the process of investigating the setup of User-ID, utilising our test network which has a VM500

 

I am starting using the Agentless option. ( The production site has 500 users, mostly Citrix Terminal Sessions but also Some PC's so I guess I will also need the TS agent further down the line.)

 

I have done the three basic steps that seem to be outlined in every guide

 

Create service account with Domain Admin privs.

In user mapping server monitorig Discovered the DC's...

added the WMI Authentication Creds on agent setup.

Committed...

 

But all i get is "Status [Not Connected]"

 

Can't seem to find any info on why it's nto working?

 

 

 

 

 

0 Likes Likes
4 REPLIES 4

Mick_Ball
L7 Applicator

‎08-09-2018 10:05 AM - edited ‎08-09-2018 10:05 AM

By default the user id will try to connect to the server via management port. If this is an issue then change it in device/setup/services

 

there are other rasons but start with this one as it caught me out...

 

*reasons not rasons lol.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎08-10-2018 12:24 AM

you can use tcpdump in the CLI and filter for your AD to see if packets are going out and being replied to properly

 

(view by > view-pcap mgmt-pcap mgmt.pcap )

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

RobinClayton
L4 Transporter
In response to reaper

‎08-10-2018 02:03 AM - edited ‎08-10-2018 02:18 AM

Well the PCAP did not give much joy, although it did show some "ICMP unreachable" to the server...

 

The server Pinged fine on the CLI by "ShortDN" and "FQDN"

 

 

HunchTime.....

 

So althoug I could ping from the management interface, there seemed to be some issue with the Management Plane making some connection via DNS entry..

 

I added another server in the list but specified it by IP rather than DNS name... Committed , Connected!

 

No idea if the production environment will have the same issue but at least I have a workarround..

 

Cheers

 

Rob

 

 

0 Likes Likes

Mick_Ball
L7 Applicator
In response to RobinClayton

‎08-10-2018 02:26 AM

ok nice one...

 

why dont you just modify the original server entry to "IP Address" just to make sure its nothing else in that server config causing the issue.

 

also add fqdn to second entry...  just for dns test purpose

0 Likes Likes
  • 2079 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks