08-05-2010 09:36 AM
Hi guys,
Pan-agent is not working as it should be.
When I run the statistics command, I get the following info:
admin@PA-500-BBDO> show user pan-agent statistics
Name IP Address Port Vsys State Users Grps IPs Activity Cnts Link Speed
----------------------------------------------------------------------------------------------------------------------
ADAgent 192.168.0.2 3033 vsys1 connected, ok 292 15 162 46595 fast
But, when I run the ip-user mapping command, I got the following info
admin@PA-500-BBDO> show user ip-user-mapping all
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.2.36 AD bbdomexico\carmen-c 2083 2083
192.168.1.195 UNKNOWN unknown 296 1196
10.0.2.235 UNKNOWN unknown 128 428
192.168.1.3 AD bbdomexico\ana-re 2083 2083
192.168.2.16 AD bbdomexico\olmos_j 2083 2083
192.168.2.13 AD bbdomexico\javier-b 2083 2083
192.168.0.7 AD bbdomexico\backup1 2084 2084
192.168.2.101 UNKNOWN unknown 682 1582
192.168.2.99 AD bbdomexico\proximity01 2083 2083
192.168.1.189 UNKNOWN unknown 234 1134
192.168.2.27 AD bbdomexico\teresa-e 2083 2083
192.168.2.234 AD bbdomexico\baruch-o 2448 2448
192.168.10.11 AD bbdomexico\saul-s 2083 2083
192.168.1.158 AD bbdomexico\chantal-o 2083 2083
192.168.2.47 AD bbdomexico\beatriz-p 2083 2083
192.168.1.5 AD bbdomexico\andres-c 2083 2083
192.168.2.233 UNKNOWN unknown 463 1363
192.168.2.18 AD bbdomexico\manuel-c 2083 2083
.
.
.
.
192.168.1.127 UNKNOWN unknown 628 1528
192.168.10.67 AD bbdomexico\omdresearch 2863 2863
Total: 193 users
I run the pan-agent user-IDs, and I got the next info
admin@PA-500-BBDO> show user pan-agent user-IDs
User Name Vsys Groups
------------------------------------------------------------------
bbdomexico\antonio-mo vsys1 bbdomexico\domain users
bbdomexico\mailusers
bbdomexico\omd
bbdomexico\users
bbdomexico\tania-m vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\jesus-g vsys1 bbdomexico\domain users
bbdomexico\mailusers
bbdomexico\omd
bbdomexico\users
bbdomexico\christian-s vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\laura_r vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\jorge-m vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\antonio-a vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\fabiola-s vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\trainee03 vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\patricia-m vsys1 bbdomexico\domain users
bbdomexico\mailusers
bbdomexico\omd
bbdomexico\users
bbdomexico\sandra vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\edgar-ri vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\ana-h vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\iusr_bbdodc3 vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\javier-e vsys1 bbdomexico\domain users
bbdomexico\trafico_
bbdomexico\users
bbdomexico\luis-g vsys1 bbdomexico\domain users
bbdomexico\users
bbdomexico\trainee04 vsys1 bbdomexico\domain users
bbdomexico\trafico_
bbdomexico\users
This is happening due to a bug, or there is something else that I have to configure. Because, this is the fourth time in 8 months that this happens.
And PANTAC Support has no answer for it.
I have PAN OS 3.1.3
Hope you could help me.
Thanks in advance.
08-05-2010 07:34 PM
Hello
Please check the following.
1. From the pan-agent enter the IP address that report unknown and see if it also reports the user as known.
192.168.1.195 UNKNOWN unknown
2. From the CLI type "show user ip-user-mapping ip 192.168.1.195". it should show AD user information.
3. Try stopping the PAN-AGENT and restarting it.
4. Try executing from CLI "debug device-server reset pan-agent all"
If the issue still exist let me know so we can maybe setup a web meeting to troubleshoot the issue.
Thanks
Al Camacho
08-06-2010 08:14 AM
Hi Al,
1. For IP 192.168.1.195 is working right now. But for instance, 192.168.2.101, in pan-agent I see the user as unknown, attached is the screenshot.
2. From cli-command, I have this info.
admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.2.101
IP address: 192.168.2.101
User: unknown
Ident. By: UNKNOWN
Idle Timeout: 817s
Max. TTL: 1717s
Groups that user belong to (used in policy)
3. I have stoped and restarted the pan-agent, but it stills show me many users as unkown.
4. admin@PA-500-BBDO> debug device-server reset pan-agent all
Pan-agent reset all connections.
After I reset the connections, I see this info.
admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.2.101
IP address: 192.168.2.101
User: unknown
Ident. By: UNKNOWN
Idle Timeout: 597s
Max. TTL: 1497s
Groups that user belong to (used in policy)
I see this info with another user,
admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.1.3
IP address: 192.168.1.3
User: bbdomexico\ana-re
Ident. By: AD
Idle Timeout: 186s
Max. TTL: 186s
Groups that user belong to (used in policy)
But in pan-agent app, I see the users as unkown. Attached you will find the screenshot.
Is there anything else that I shoul do.
Thanks in advance.
08-06-2010 05:39 PM
Hello
At this point we might need to setup a web meeting so we can do more trouble shooting.
Please let me if you are free on Monday and what time works.
Thanks
Al
08-07-2010 07:06 AM
have you tried a 'debug software restart device-server'
restarts the comms between everythign internally... worked for ame a couple of times with userID issues with the PANagent..
08-09-2010 10:43 AM
Hi,
I have tried with the cli commonad that you advised me.
But I still have the same problem.
Any other advise that you have.
Thanks.
08-09-2010 06:23 PM
Hello
Please open a case or contact your local distributor to trouble shoot this issue.
Thanks you
08-10-2010 07:38 AM
I have opened two cases, and it looks that you don not care about it.
I have the case 18948 and 18951. I have just received a call, from case 18951, and the guy restart the PAN Agent services, he chenged some configuration options, but I have the same problem.
By the way, my local distributor has no idea what is happening with the device, they just told me that I have to contact you.
I wonder you could have time for trobleshoot this, or at leats give me some ideas in order to fix this issue.
Thanks in advance.
08-10-2010 09:02 AM
Hello
Apologies I did not realize that you already had cases open. I will follow up with the folks who are assigned these cases and we will get back to you.
Thank you
Al
09-08-2010 05:20 AM
Hi,
any news on this case? I have the same problem. Already opend a case and no news.
Any info on how to fix this issue would be great.
09-08-2010 01:35 PM
Please contact your Support provider for any case status you are looking for.
11-17-2010 07:54 AM
At this moment I have already opened 4 cases regarding the same issue. I do not know If you have solved this or there are not a solution.
What do I need to do?
Whom I have to report this issue?
11-22-2010 11:57 AM
Please contact Support with your existing case numbers so that they can correlate them and get the issue resolved for you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
