Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IP - User mapping has stopped working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IP - User mapping has stopped working

L4 Transporter

Hi all,

I'm having a IP-user mapping problem with my PA-500 unit running software version 3.1.8.

This unit is due to be upgraded shortly, but it would really be appreciated if anybody knew a way of resolving my issue without rebooting the unit please.  Downtime is difficult.

User Identification Agent is installed on a Windows machine and is able to obtain and display username information.  Clicking on "Get All" in the agent returns a full list of users and IPs.

The PA-500 has a pan-agent connection defined  pointing at the above server and until last week has worked perfectly.  This week the PA-500 does not seem to be able to resolve IPs to users.

From the command line the "show user pan-agent statistics" command returns the following:

---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----

Name             IP Address      Port  Vsys     State             Users  Grps   IPs      Activity Timer(s) Domain          Index

---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----

xxxxxxx.xxxx     xx.xx.xx.xx     12345 vsys1   *connected, ok     696    336    355563   793      300      xxxxxxxxxxxxx   0

"show user ip-user-mapping" returns the following:

IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

Total: 0 users

If I do the above command on another of my PA units I get a list of the address mappings back. (I don't have any other 3.1x boxes to compare with though only 4.1x boxes)

To me, it looks as though the agent is working OK and that the PA unit has made a connection to it.  Is there something on the PA unit I can reset?  I've tried clearing the user-cache but that has made no difference.

Any help appreciated!

Thanks,

Dave

1 accepted solution

Accepted Solutions

Hi, thanks for this.

We ended up rebooting our device in the end.  It just stopped forwarding packets after a compile.  Upon rebooting full service has been restored - including IP - user mapping 🙂

Many thnaks,

Dave

View solution in original post

4 REPLIES 4

L4 Transporter

There's a "debug user-id reset user-id-agent all" command I've had sucess with in the past.

There's also a process you can restart under "debug software restart" but I don't remember on PAN-OS 3.1 if it's user-id or pan-agent.

Thanks for this.

I have tried a "debug device-server reset pan-agent all" but since issuing this command if I try to vew the "ip-user-mapping" table I just get the message below:

"Server error : Failed to get response from device server. Please try again later."

Is it possible to restart the device server itself or is that pretty much a reboot?

Thanks,

Dave

Yes!

debug software restart device-server

But I've heard of mixed results with restarting the device server and problems with the URL filtering, at least in PAN-OS 4.0. After the device server comes back up, show system resources follow and look for devsrvr, and make sure your URL filtering is working (if you have the license).

Hi, thanks for this.

We ended up rebooting our device in the end.  It just stopped forwarding packets after a compile.  Upon rebooting full service has been restored - including IP - user mapping 🙂

Many thnaks,

Dave

  • 1 accepted solution
  • 3683 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!