Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Failed to execute op command

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Failed to execute op command

L3 Networker

We frequently face an error for fetching the group-mapping in the user-id tab. The error is normally shown up as failed to execute op command. One of the reason can be invalid credentials in the ldap configuration

opcommand1.PNG.png

Troubleshoot this error with Tail follow yes mp-log userid-log

2014-05-04 14:31:21.052 +0400 connecting to ldap://[192.168.0.199]:389 ...

2014-05-04 14:31:21.056 +0400 Error:  pan_ldap_bind_simple(pan_ldap.c:393): ldap_sasl_bind result return(49) : Invalid credentials

2014-05-04 14:31:21.056 +0400 Error:  pan_user_get_ldap(pan_group_selection_n.c:67): pan_ldap_bind()  failed

2014-05-04 14:31:21.056 +0400 Error:  cfgagent_doop_callback(pan_cfgagent.c:503): Failed to handle op command for agent:

useridd

Reconfigure the credentials in the ldap profile

password change.PNG.png

After changing the credentials, the groups can be pulled.

group-mapping.PNG.png

2014-05-04 14:32:53.760 +0400 connecting to ldap://[192.168.0.199]:389 ...

2014-05-04 14:32:55.860 +0400 connecting to ldap://[192.168.0.199]:389 ..

Aamir Khan

5 REPLIES 5

L7 Applicator

Hello Aamir,

Are you using windows 2012 server in your set-up..?

Thanks

Yes it is Server 2012.

Hello Aamir,

As TAC support for UID agent running on Windows 2012 is not available, Also for Terminal Server Agent on Windows 2012, I do see a feature request (FR ID : 3062) submitted to our development team.

Topic: Terminal Server Agent / Windows Server 2012 Support

Priority: High

FR ID: 3062

Please get in touch with your Palo Alto SE for the roadmap.

Apart from the above mentioned error, few customers confirmed the set-up running fine into their environment.


Refference : https://live.paloaltonetworks.com/message/27804#27804


Thanks


I am using agent less and not the user-id agent. Besides this document is used to counter the error upon fetching the group mapping so that we can use it for Ldap authentication.

L0 Member

Just for anyone interested - I had an intermittent issue with the error "Failed to execute op command" which I traced to be an issue with resolving DNS. It seems a DNS request was made each time and this was not reliable.

I changed server address from FQDN to IP addresses to resolve the problem.

Steve

  • 5422 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!