hello Asia,
the ttl on the Paloalto device is 1hour (3600 seconds) by default. By the way, this setting is not configurable on the Paloalto device.
So, the Paloalto device will ask the pan agent for the user ip mapping and once it gets it, it will give a ttl (time to live) of 3600 seconds.
Now the Paloalto device will continue to ask the User identification agent every few seconds (like 5-10 seconds) for any changes in the user to ip mapping. IF there is no change in the user information, then the count down will continue. If there is a new user for that ip, then the Paloalto device will assign that new user and new ttl. If that ttl expires then the user will go to "unknown".
The Paloalto device will also ask the user identification agent for a fresh new user to ip mapping list every hour.
One more detail is that if the user's ttl has expired and the user is now unknown, he will remain unknown until one of three things happen:
1. the Paloalto device sees traffic for that ip...at that time the paloalto device will ask the user identification agent for mappping information for that IP
2. One hour has gone by and the Paloalto device asks for a fresh new user list and that ip now has a user
3. A user is provided for that ip by the user identification agent during one of those 5-10 second queries from the paloalto device to the user identification agent
So, as you can see all of the above scenarios can affect the ttl and cause it to start again.
Also the Age-out timeout on the user identificatioin agent has nothing to do with the ttl on the Paloalto device. Here is a definition of the age-out timeout:
Age-out Timeout (min.): how long entries in the IP to username cache kept by the agent
are valid. Current entries can be viewed from the main User Identification Agent Screen
under IP to Username Information, as in the graphic below, 45 minute default.
Hope this helps 
hello Asia,
the ttl on the Paloalto device is 1hour (3600 seconds) by default. By the way, this setting is not configurable on the Paloalto device.
So, the Paloalto device will ask the pan agent for the user ip mapping and once it gets it, it will give a ttl (time to live) of 3600 seconds.
Now the Paloalto device will continue to ask the User identification agent every few seconds (like 5-10 seconds) for any changes in the user to ip mapping. IF there is no change in the user information, then the count down will continue. If there is a new user for that ip, then the Paloalto device will assign that new user and new ttl. If that ttl expires then the user will go to "unknown".
The Paloalto device will also ask the user identification agent for a fresh new user to ip mapping list every hour.
One more detail is that if the user's ttl has expired and the user is now unknown, he will remain unknown until one of three things happen:
1. the Paloalto device sees traffic for that ip...at that time the paloalto device will ask the user identification agent for mappping information for that IP
2. One hour has gone by and the Paloalto device asks for a fresh new user list and that ip now has a user
3. A user is provided for that ip by the user identification agent during one of those 5-10 second queries from the paloalto device to the user identification agent
So, as you can see all of the above scenarios can affect the ttl and cause it to start again.
Also the Age-out timeout on the user identificatioin agent has nothing to do with the ttl on the Paloalto device. Here is a definition of the age-out timeout:
Age-out Timeout (min.): how long entries in the IP to username cache kept by the agent
are valid. Current entries can be viewed from the main User Identification Agent Screen
under IP to Username Information, as in the graphic below, 45 minute default.
Hope this helps
