- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-25-2012 03:24 AM
Hi all,
I'm having a IP-user mapping problem with my PA-500 unit running software version 3.1.8.
This unit is due to be upgraded shortly, but it would really be appreciated if anybody knew a way of resolving my issue without rebooting the unit please. Downtime is difficult.
User Identification Agent is installed on a Windows machine and is able to obtain and display username information. Clicking on "Get All" in the agent returns a full list of users and IPs.
The PA-500 has a pan-agent connection defined pointing at the above server and until last week has worked perfectly. This week the PA-500 does not seem to be able to resolve IPs to users.
From the command line the "show user pan-agent statistics" command returns the following:
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
Name IP Address Port Vsys State Users Grps IPs Activity Timer(s) Domain Index
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
xxxxxxx.xxxx xx.xx.xx.xx 12345 vsys1 *connected, ok 696 336 355563 793 300 xxxxxxxxxxxxx 0
"show user ip-user-mapping" returns the following:
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
Total: 0 users
If I do the above command on another of my PA units I get a list of the address mappings back. (I don't have any other 3.1x boxes to compare with though only 4.1x boxes)
To me, it looks as though the agent is working OK and that the PA unit has made a connection to it. Is there something on the PA unit I can reset? I've tried clearing the user-cache but that has made no difference.
Any help appreciated!
Thanks,
Dave
06-29-2012 01:09 AM
Hi, thanks for this.
We ended up rebooting our device in the end. It just stopped forwarding packets after a compile. Upon rebooting full service has been restored - including IP - user mapping 🙂
Many thnaks,
Dave
06-25-2012 06:13 AM
There's a "debug user-id reset user-id-agent all" command I've had sucess with in the past.
There's also a process you can restart under "debug software restart" but I don't remember on PAN-OS 3.1 if it's user-id or pan-agent.
06-26-2012 04:44 AM
Thanks for this.
I have tried a "debug device-server reset pan-agent all" but since issuing this command if I try to vew the "ip-user-mapping" table I just get the message below:
"Server error : Failed to get response from device server. Please try again later."
Is it possible to restart the device server itself or is that pretty much a reboot?
Thanks,
Dave
06-26-2012 09:28 AM
Yes!
debug software restart device-server
But I've heard of mixed results with restarting the device server and problems with the URL filtering, at least in PAN-OS 4.0. After the device server comes back up, show system resources follow and look for devsrvr, and make sure your URL filtering is working (if you have the license).
06-29-2012 01:09 AM
Hi, thanks for this.
We ended up rebooting our device in the end. It just stopped forwarding packets after a compile. Upon rebooting full service has been restored - including IP - user mapping 🙂
Many thnaks,
Dave
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!