Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Match UserId problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Match UserId problem

L4 Transporter

Hi, we have 2 PA in cluster Active/passive. We have done the fail-over and when the secondary PA is working i can see userid is not maching. I have checked all the Userid agent config and state and everything is ok. I have restart all the userids agent and group mapping, after all its nor working.

tel@fw2(active)> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage

---------------------------------------------------------------------------

Servidor wn12    10.1.1.249      4444  vsys1   conn:Get IPs      5

UID              10.1.1.16       4444  vsys1   conn:idle         5

UID New          10.1.1.18       4444  vsys1   conn:Get IPs      5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

tel@fw2t(active)> show user ip-user-mapping all

----------------------

but if i run "show user ip-user-mapping all" in the passive , userid match is working...

tel@fw1(passive)> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

10.5.6.70       vsys1  UIA     oalgt\lleojoel                   3290           3290

10.5.6.186      vsys1  UIA     oalgt\quesadfr                   3170           2742

10.5.2.205      vsys1  UIA     oalgt\manasmnc                   3169           3169

10.5.4.45       vsys1  UIA     oalgt\gomezlbg                   3391           3391

10.1.13.37      vsys1  UIA     oalgt\serrancr                   3171           3171

10.1.200.82     vsys1  UIA     oalgt\munmandl                   3170           3170

10.5.4.100      vsys1  UIA     oalgt\culubrnt                   3170           3170

10.5.2.249      vsys1  UIA     oalgt\torresjn                   3170           3170

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

tel@fw2(active)> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

1 accepted solution

Accepted Solutions

The poblem was solved. I opened a case with PA and rebooted the FW and now is working.....If the device is turn on more than 388 the UserID starting to fail...

Thanks a lot

View solution in original post

5 REPLIES 5

L4 Transporter

if i run ip-user-mapping, it doesnt work the matching but if i run user ip-user-mapping-mp its working. But in monitor traffic log i cant see any match

telindus@fw2orgt(active)> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

---------------------

telindus@fw2orgt(active)> show user ip-user-mapping-mp all

IP              Vsys   From    User                             Timeout (sec)

--------------- ------ ------- -------------------------------- ----------------

10.5.7.25       vsys1  UIA     oalgt\sanchetm                   2973

10.1.192.77     vsys1  UIA     oalgt\roureana                   2974

10.5.4.117      vsys1  UIA     oalgt\sanchegl                   2975

10.1.231.52     vsys1  UIA     oalgt\ferrergt                   2975

this is the log useridd

Nov 19 17:10:09 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID New

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for Servidor wn12

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for UID

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 100, disable rate limiting for UID New

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for Servidor wn12

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID

Nov 19 17:10:10 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate is now 101, enabling rate limiting for UID New

Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for Servidor wn12

Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for UID

Nov 19 17:10:18 pan_user_id_agent_update_unknown_ip_rate_limit: Unknown IP rate rate is now 89, disable rate limiting for UID New

L0 Member

Hi Cos,

Can you run "show system info" and verify if the device uptime is more then 388 days?


Regards,

Sarath

The poblem was solved. I opened a case with PA and rebooted the FW and now is working.....If the device is turn on more than 388 the UserID starting to fail...

Thanks a lot

L0 Member

Hi Cos,

We have known issue Issue # 64166 and fixed in version 5.0.14 and later and 6.0.4 and later.

The issue is total time "Time data-plane was up + User Time-out" cannot be greater than 388 days(2^25). Workaround is to reboot the device or upgrade the device for permanent fix.

Thank you.

Regards,

Sarath

  • 1 accepted solution
  • 3395 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!