- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-19-2014 07:54 AM
Hi, we have 2 PA in cluster Active/passive. We have done the fail-over and when the secondary PA is working i can see userid is not maching. I have checked all the Userid agent config and state and everything is ok. I have restart all the userids agent and group mapping, after all its nor working.
tel@fw2(active)> show user user-id-agent statistics
Name Host Port Vsys State Ver Usage
---------------------------------------------------------------------------
Servidor wn12 10.1.1.249 4444 vsys1 conn:Get IPs 5
UID 10.1.1.16 4444 vsys1 conn:idle 5
UID New 10.1.1.18 4444 vsys1 conn:Get IPs 5
Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used
tel@fw2t(active)> show user ip-user-mapping all
----------------------
but if i run "show user ip-user-mapping all" in the passive , userid match is working...
tel@fw1(passive)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.5.6.70 vsys1 UIA oalgt\lleojoel 3290 3290
10.5.6.186 vsys1 UIA oalgt\quesadfr 3170 2742
10.5.2.205 vsys1 UIA oalgt\manasmnc 3169 3169
10.5.4.45 vsys1 UIA oalgt\gomezlbg 3391 3391
10.1.13.37 vsys1 UIA oalgt\serrancr 3171 3171
10.1.200.82 vsys1 UIA oalgt\munmandl 3170 3170
10.5.4.100 vsys1 UIA oalgt\culubrnt 3170 3170
10.5.2.249 vsys1 UIA oalgt\torresjn 3170 3170
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
Total: 0 users
tel@fw2(active)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
Total: 0 users
12-04-2014 12:26 AM
The poblem was solved. I opened a case with PA and rebooted the FW and now is working.....If the device is turn on more than 388 the UserID starting to fail...
Thanks a lot
11-19-2014 08:07 AM
if i run ip-user-mapping, it doesnt work the matching but if i run user ip-user-mapping-mp its working. But in monitor traffic log i cant see any match
telindus@fw2orgt(active)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
Total: 0 users
---------------------
telindus@fw2orgt(active)> show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
--------------- ------ ------- -------------------------------- ----------------
10.5.7.25 vsys1 UIA oalgt\sanchetm 2973
10.1.192.77 vsys1 UIA oalgt\roureana 2974
10.5.4.117 vsys1 UIA oalgt\sanchegl 2975
10.1.231.52 vsys1 UIA oalgt\ferrergt 2975
11-19-2014 08:14 AM
this is the log useridd
Nov 19 17:10:09 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID New
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for Servidor wn12
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for UID
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for UID New
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for Servidor wn12
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID
Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID New
Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for Servidor wn12
Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for UID
Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for UID New
12-03-2014 10:50 AM
Hi Cos,
Can you run "show system info" and verify if the device uptime is more then 388 days?
Regards,
Sarath
12-04-2014 12:26 AM
The poblem was solved. I opened a case with PA and rebooted the FW and now is working.....If the device is turn on more than 388 the UserID starting to fail...
Thanks a lot
12-04-2014 07:43 AM
Hi Cos,
We have known issue Issue # 64166 and fixed in version 5.0.14 and later and 6.0.4 and later.
The issue is total time "Time data-plane was up + User Time-out" cannot be greater than 388 days(2^25). Workaround is to reboot the device or upgrade the device for permanent fix.
Thank you.
Regards,
Sarath
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!