- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-20-2016 03:11 AM
Hi,
We are having a lot of strage log in the useridd.log file. We dont know why we are receiving these logs.
The LDAP is configured correctly and we have the read permissions for everything in AD user. Users are working fine.
Please why are we recinivng these logs and how ca we solve??
2016-04-19 09:01:58.577 +0200 connecting to ldap://[192.168.49.81]:636 with StartTLS...
2016-04-19 09:01:58.579 +0200 Error: pan_ldap_init_ex(pan_ldap.c:252): start_tls_s return(-1) : Can't contact LDAP server
2016-04-19 09:01:58.579 +0200 connecting to ldaps://[192.168.49.81]:636 ...
2016-04-19 09:01:58.585 +0200 ldap cfg LDAP_xx connected to 192.168.49.81:636(index 1)
[44;1H[K[7m99%[27m[44;1H[44;1H[K2016-04-19 09:01:58.587 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=pa_vectorsf,ou=firewall_groups,ou=groups,
ou=mng,dc=intranet,dc=,dc=es'
2016-04-19 09:01:58.587 +0200 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:2928): pan_ldap_ctrl_search_single_group() failed for 'cn=pa_vectorsf,ou
=firewall_groups,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:58.587 +0200 Error: pan_ldap_ctrl_query_limited_groups(pan_ldap_ctrl.c:3030): pan_ldap_ctrl_query_single_included_group() failed
2016-04-19 09:01:58.638 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=pa_vdi_externos,ou=firewall_groups,ou=gro
ups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:58.638 +0200 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:2928): pan_ldap_ctrl_search_single_group() failed for 'cn=pa_vdi_externo
s,ou=firewall_groups,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:58.638 +0200 Error: pan_ldap_ctrl_query_limited_groups(pan_ldap_ctrl.c:3030): pan_ldap_ctrl_query_single_included_group() failed
2016-04-19 09:01:58.788 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=vdi_sap_deloitte_sin_office,ou=vdi-nutani
x,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:58.788 +0200 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:2928): pan_ldap_ctrl_search_single_group() failed for 'cn=vdi_sap_deloit
te_sin_office,ou=vdi-nutanix,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:58.788 +0200 Error: pan_ldap_ctrl_query_limited_groups(pan_ldap_ctrl.c:3030): pan_ldap_ctrl_query_single_included_group() failed
2016-04-19 09:01:59.152 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=pa_vdi_ipm,ou=firewall_groups,ou=groups,o
u=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:59.152 +0200 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:2928): pan_ldap_ctrl_search_single_group() failed for 'cn=pa_vdi_ipm,ou=
firewall_groups,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:59.152 +0200 Error: pan_ldap_ctrl_query_limited_groups(pan_ldap_ctrl.c:3030): pan_ldap_ctrl_query_single_included_group() failed
2016-04-19 09:01:59.153 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=pa_vdi_opentrends,ou=firewall_groups,ou=g
roups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:59.153 +0200 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:2928): pan_ldap_ctrl_search_single_group() failed for 'cn=pa_vdi_opentre
nds,ou=firewall_groups,ou=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
2016-04-19 09:01:59.153 +0200 Error: pan_ldap_ctrl_query_limited_groups(pan_ldap_ctrl.c:3030): pan_ldap_ctrl_query_single_included_group() failed
2016-04-19 09:01:59.233 +0200 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:2657): failed to get group obj for 'cn=cc-1129,ou=cc_groups,ou=security groups,o
u=groups,ou=mng,dc=intranet,dc=xxxxx,dc=es'
04-20-2016 07:02 AM
Hi
it seems you're using SSL, are you sure ssl is enabled on the active directory ?
you could try disabling ssl to see if that clears your issue
you mention users are working fine: do you mean user to IP mapping works? this is usually collected through a userID agent or clientless WMI configuration on the fiorewall, this is a different type of channel
hope this helps
Tom
04-21-2016 01:50 AM
Palo Alto tries to connect using LDAPs, fist attempt fails but second one works.
On the other hand, you can see a lot of error getting groups and moving user to dplane.
We dont know why we see these errors. Users are working fine, so they didt report a problem. Just one time two groups lost mapping and they reported a problem....
04-22-2016 12:33 AM
How this commns will affect to the service???
Please try restarting the User-ID
>Debug software restart process user-id
>Debug user-id reset user-id-agent all
04-22-2016 02:02 AM
the userid process is responsible for using the ldap profile to fetch group information, so resetting that service hould help restore connectivity
not sure why you'd want to reset the user-id agents
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!