Issue with PAN-AGENT

Reply
BBDOmexico
L1 Bithead

Issue with PAN-AGENT

Hi guys,

Pan-agent is not working as it should be.

When I run the statistics command, I get the following info:

admin@PA-500-BBDO> show user pan-agent statistics

Name             IP Address      Port    Vsys        State             Users  Grps  IPs       Activity Cnts Link Speed
----------------------------------------------------------------------------------------------------------------------
ADAgent        192.168.0.2     3033    vsys1       connected, ok     292    15    162       46595         fast

But, when I run the ip-user mapping command, I got the following info

admin@PA-500-BBDO> show user ip-user-mapping all

IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.2.36    AD        bbdomexico\carmen-c              2083             2083
192.168.1.195   UNKNOWN   unknown                          296              1196
10.0.2.235      UNKNOWN   unknown                          128              428
192.168.1.3     AD        bbdomexico\ana-re                2083             2083
192.168.2.16    AD        bbdomexico\olmos_j               2083             2083
192.168.2.13    AD        bbdomexico\javier-b              2083             2083
192.168.0.7     AD        bbdomexico\backup1               2084             2084
192.168.2.101   UNKNOWN   unknown                          682              1582
192.168.2.99    AD        bbdomexico\proximity01           2083             2083
192.168.1.189   UNKNOWN   unknown                          234              1134
192.168.2.27    AD        bbdomexico\teresa-e              2083             2083
192.168.2.234   AD        bbdomexico\baruch-o              2448             2448
192.168.10.11   AD        bbdomexico\saul-s                2083             2083
192.168.1.158   AD        bbdomexico\chantal-o             2083             2083
192.168.2.47    AD        bbdomexico\beatriz-p             2083             2083
192.168.1.5     AD        bbdomexico\andres-c              2083             2083
192.168.2.233   UNKNOWN   unknown                          463              1363
192.168.2.18    AD        bbdomexico\manuel-c              2083             2083
.

.

.

.

192.168.1.127   UNKNOWN   unknown                          628              1528
192.168.10.67   AD        bbdomexico\omdresearch           2863             2863
Total: 193 users

I run the pan-agent user-IDs, and I got the next info

admin@PA-500-BBDO> show user pan-agent user-IDs

User Name                       Vsys    Groups
------------------------------------------------------------------
bbdomexico\antonio-mo           vsys1   bbdomexico\domain users
                                        bbdomexico\mailusers
                                        bbdomexico\omd
                                        bbdomexico\users
bbdomexico\tania-m              vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\jesus-g              vsys1   bbdomexico\domain users
                                        bbdomexico\mailusers
                                        bbdomexico\omd
                                        bbdomexico\users
bbdomexico\christian-s          vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\laura_r              vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\jorge-m              vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\antonio-a            vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\fabiola-s            vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\trainee03            vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\patricia-m           vsys1   bbdomexico\domain users
                                        bbdomexico\mailusers
                                        bbdomexico\omd
                                        bbdomexico\users
bbdomexico\sandra               vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\edgar-ri             vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\ana-h                vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\iusr_bbdodc3         vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\javier-e             vsys1   bbdomexico\domain users
                                        bbdomexico\trafico_
                                        bbdomexico\users
bbdomexico\luis-g               vsys1   bbdomexico\domain users
                                        bbdomexico\users
bbdomexico\trainee04            vsys1   bbdomexico\domain users
                                        bbdomexico\trafico_
                                        bbdomexico\users

This is happening due to a bug, or there is something else that I have to configure. Because, this is the fourth time in 8 months that this happens.

And PANTAC Support has no answer for it.

I have PAN OS 3.1.3

Hope you could help me.

Thanks in advance.

acamacho
L3 Networker

Hello

Please check the following.

1. From the pan-agent enter the IP address that report unknown and see if it also reports the user as known.

192.168.1.195 UNKNOWN unknown

2. From the CLI type "show user ip-user-mapping ip 192.168.1.195". it should show AD user information.

3. Try stopping the PAN-AGENT and restarting it.

4. Try executing from CLI "debug device-server reset pan-agent all"

If the issue still exist let me know so we can maybe setup a web meeting to troubleshoot the issue.

Thanks

Al Camacho

BBDOmexico
L1 Bithead

Hi Al,

1. For IP 192.168.1.195 is working right now. But for instance, 192.168.2.101, in pan-agent I see the user as unknown, attached is the screenshot.

2. From cli-command, I have this info.

admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.2.101

IP address:  192.168.2.101
User:        unknown
Ident. By:   UNKNOWN
Idle Timeout: 817s
Max. TTL:    1717s
Groups that user belong to (used in policy)

3. I have stoped and restarted the pan-agent, but it stills show me many users as unkown.

4. admin@PA-500-BBDO> debug device-server reset pan-agent all

Pan-agent reset all connections.

After I reset the connections, I see this info.

admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.2.101

IP address:  192.168.2.101
User:        unknown
Ident. By:   UNKNOWN
Idle Timeout: 597s
Max. TTL:    1497s
Groups that user belong to (used in policy)

I see this info with another user,

admin@PA-500-BBDO> show user ip-user-mapping ip 192.168.1.3

IP address:  192.168.1.3
User:        bbdomexico\ana-re
Ident. By:   AD
Idle Timeout: 186s
Max. TTL:    186s
Groups that user belong to (used in policy)

But in pan-agent app, I see the users as unkown. Attached you will find the screenshot.

Is there anything else that I shoul do.

Thanks in advance.

acamacho
L3 Networker

Hello

At this point we might need to setup a web meeting so we can do more trouble shooting.

Please let me if you are free on Monday and what time works.

Thanks

Al

dbridges
Not applicable

have you tried a 'debug software restart device-server'

restarts the comms between everythign internally... worked for ame a couple of times with userID issues with the PANagent..

BBDOmexico
L1 Bithead

Hi,

I have tried with the cli commonad that you advised me.

But I still have the same problem.

Any other advise that you have.

Thanks.

acamacho
L3 Networker

Hello

Please open a case or contact your local distributor to trouble shoot this issue.

Thanks you

BBDOmexico
L1 Bithead

I have opened two cases, and it looks that you don not care about it.

I have the case 18948 and 18951. I have just received a call, from case 18951, and the guy restart the PAN Agent services, he chenged some configuration options, but  I have the same problem.

By the way, my local distributor has no idea what is happening with the device, they just told me that I have to contact you.

I wonder you could have time for trobleshoot this, or at leats give me some ideas in order to fix this issue.

Thanks in advance.

acamacho
L3 Networker

Hello

Apologies I did not realize that you already had cases open. I will follow up with the folks who are assigned these cases and we will get back to you.

Thank you

Al

s.koehler
L1 Bithead

Hi,

any news on this case? I have the same problem. Already opend a case and no news.

Any info on how to fix this issue would be great.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!