Intermittent username drops

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Intermittent username drops

L4 Transporter

Username-IP mappings intermittently stops and traffic logs show just IP but not username. And mapping happens after sometime automatically. This is limiting me from creating rules based on usernames. What might be the reason?

 

Thanks.

7 REPLIES 7

Cyber Elite
Cyber Elite

@SThatipelly,

More than likely you are running into a timeout for the User-ID info. Do you know what you have your 'User Identification Timeout' value set to? 

This can be found under the 'Device' tab under the 'User Identifcation' section. 

480 mins 

@SThatipelly,
That should be allowing enough time in most environments. Can you explain your setup a little more. Specifically what are you monitoring as a source and whether you use the agentless or agent. It sounds like this is indeed your problem, just trying to figure out if we can redesign your user-id setup without having to increase the age out.

Hello,

Also where are you getting the logs from? I found Exchange is sometimes better since Outlook is authenticating to it quite frequently so the IP to username mappings are pretty up to date.

 

Regards,

L7 Applicator

Could you also confirm if this is happening to random users. Or are you losing all ip mappings. This may assist in whether your issue is with user-id timeouts or coniguration/communication issues.

L1 Bithead

We've been running into some UID mapping issues, running in agentless mode.  It turns out that since we have multiple domains, we weren't uspposed to be using agentless.  Instead, PAN advised us to stand up a vm/server in each domain and put an agent on it that can reach out and query the DCs.  We were having the same issue, where we were only getting 50-60% of the UIDs.  Sometimes we'd get UID, and then it would just drop.  We also tried doing switch user, and the UID would still be for the first user.

 

Or you can enforce Captive Portal, but that's really more of a catch-all.

 

Yes. I too was adviced to install user-id agent. 

Are they sure if this could fix the issue? 

  • 3418 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!