- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-01-2013 09:04 AM
Hello,
I've got UI agent 4.1.6 configured on PanOS 4.1.9.
We have around 3000 users and in agent we see only around 700 user-mapping count.
in the logs we get the below error for a lot of IPs and i guess that's why we dont get all users. I've tried to disable WMI but still doesnt work.
Have anyone experienced a similar iissue?
2/22/13 08:17:29:688[ Info 856]: IP 10.76.15.140 is already in the probing queue
02/22/13 08:17:29:688[ Info 856]: IP 10.76.45.123 is already in the probing queue
02/22/13 08:17:29:688[ Info 856]: IP 10.76.15.205 is already in the probing queue
02/22/13 08:17:29:688[ Info 856]: IP 10.76.15.196 is already in the probing queue
03-01-2013 09:38 AM
I have not seen it, but I am curious what your probing interval currently is set at.
At the same point in time, I am not sure I understand why disabling this would attempt to resolve this issue.
Remember that active probing is for anyone that is NOT known.
So before you troubleshoot that portion, you need go back to step 1.
There are 2 steps to get UserID working (FW connecting to LDAP server) and (getting user to IP mappings).
There are 6 ways (at least) to get IPs (Security Login/Logff from AD/Exchange, WMI, CP, XML API, etc) So...
I think the question you should ask is: WHY is the UserID agent not able to query your AD to determine who your IP users are?
Remember that active probing is for anyone that is NOT known, and to confirm that a User still has IP address that is cached.
What is your user id cache set for? Is it the default (45 minutes)?
Maybe you can increase to 1/2 of your DHCP time(which is when users will ask for their same IP from your DHCP server).
03-01-2013 10:01 AM
Hi,
The agent settings are set to default.
Part of the log also shows below. So, should we be probing ips like that?
Using only AD method and could it be a problem with an inability to read the security log?
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.45.81, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.17.21, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.58.111, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.96.188, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.96.224, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.110.78, list is full with 201 entries, currently probing 40 IPs
02/21/13 11:37:47:675[Debug 838]: Unable to probe IP 10.74.51.184, list is full with 201 entries, currently probing 40 IPs
03-01-2013 11:39 AM
Hmmm, this gets tough to answer. I think that if you are getting some AD information, then you are reading security logs. I think I would turn OFF probing entirely (for now), so that you can focus on troubleshooting the UserID issue. I would change the timeout to 1/2 of your DHCP timer (so if DHCP is 8 hours, change cache to 4 hours), you need to effectively make some change to see if it a positive change or no change. I do not know the limits of how many IPs can be probed, but maybe the 201 entries is the max amount. So, I would stop probing. The net effect is that you have not lost any UserID information, because that is what we are troubleshooting. Make sure your UserID has the proper permissions to reach the Security Logs on the AD. Do you have the FW communicating to the LDAP server directly, or are you using the UserID agent in LDAP proxy mode? Is the FW and the DC in the same location (not across a WAN link, etc)? Ultimately, I would not have a problem creating a TAC case in this issue. That is why there are here. We the in the community can provide guidelines to help, but of course TAC will be the best to T-shoot and resolve this. Let me know what you find.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!