06-11-2013 01:39 PM
hey
we have a situation the loggen in users are sent to the captive portal. event a few minutes or an hour after they have logged in to the conuter.
1) when this is happaning then the ip-user mapping shows no user for the IP
2) we cant simulate this behaviour
3) we played arround with the ip-port mapping timeouts
4) client probing is turned on and we verified that the PA user can see the logged in user user wmi
5) we dont have problems in recognizing ip-user mapping in the environment
7) we user agentless userID
😎 we user 5.0.5 pa 500
questions
1) do you have any idea what may cause this?
2) how can i turn on debugs on the userID and captive portal so i can see why the PA drop/doesnt have the user-ip mapping when this will occure again
3) if the IP is not recognized by pa that a user is logged in to it from the AD security log for some reason, why doesnt it use the client probing for checking the logged in user?
will appriciate any help for solving this issue until i will open a case
thanks
dor
06-11-2013 01:54 PM
we tried also 90 minutes for a period and it still happaned again
06-11-2013 02:02 PM
Do you still have issues when probing is off ?
06-11-2013 02:05 PM
didnt try turning of probing.
i will be at the customer site tommorow, for trying and testing everything, can you give me more troubelshooting tips?
06-11-2013 02:10 PM
to test the probing we tried to run a cms with runas and then use the wmi command that is mention in some documents on a machine the was sent to the captive portal, and we get the logged in user correctly
06-11-2013 02:12 PM
it is not normal if user gets a webform in a few minutes(Although user is Active Directory user)
This happens if wmi fails.
Check if all DC is connected with firewall
if issue goes on, try to install user id agent on a PC and do not use agentless system.Troubleshooting on agent is better.
06-12-2013 12:02 AM
ok. i am at the customer site and:
1) i found that probing was disabled
2) i try to turn it on and clear my ip-user mapping information for my station, should PA try and quary my station for my user or not?
06-12-2013 12:05 AM
how can i view the probing logs from the paloalto cli??
06-12-2013 06:00 AM
debug user-id dump probing-stats
07-11-2013 06:25 AM
"debug user-id dump probing-stats" is only giving me statistics
how can i view/export all the logs that are relevant to the user-id proccess so when a user tells me that he have been redirected to the captive portal. so i could take a look at the log in the time that a user complained, i will have is IP also and see WHY paloalto didnt have the mapping because he should had it
thanks
07-11-2013 02:03 PM
If you are using the user id agent and not the agentless you should see the probing failures in the debug log under palo alto networks folder under which you have installed the user id agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
