06-25-2014 08:06 AM
Hello,
I have group mappings present on the Primary Firewall, not passing to the secondary Firewall. Specifically for a new gorup created today. I have tried the various debug refresh commands on both boxes to attempt the get the seocndary box to pull the new group, but no joy. Can anyone suggest what the issue here maybe? As far as the secondary box is concerned it doesn't exist. Which is kind of important as that box is primary for connectivity for a certain subnet that I cannot enforce a policy on based on group membership.
Many thanks
06-26-2014 02:45 AM
Hi
did you happen to check the filter in the device tab > user identification > group mapping settings
there could be a filter here that prevents the new group from showing up
regards
Tom
07-03-2014 08:56 AM
Hello,
No filter that is relevant to the group in question, it has got worse, we have a new user thats been added in AD, it can be seen on the Primary but not on the Secondary, even after a day. Also the group number enumeration between the two is not the same. Any ideas why the secondary is not synching up with the user-id and group information from the primary?
07-03-2014 03:18 PM
Does the secondary show correctly connected ip address:
> show user user-id-agent state <your-id-agent-name>
Does a force sync change the status:
> debug user-id refresh group-mapping (Name of group-mapping, or all)
07-09-2014 11:51 AM
What version of PAN OS are you running on the two HA peers? The new user that was added, was he added to a group called "domain users"?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
