Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
10-11-2017 05:57 AM
Hi,
we realized that Palo Alto suddenly stops identifying users. We can see an example in this traffic logs.
In this screenshot, we see how the user is being identified but there are connectiosn where its not appearing.
sometime running show user ip-user-mapping all, we can not see the user associated to the correct ip.
What could it cause this problem? tshoot advice??
thanks a lot
10-12-2017 12:35 PM
I wouldn't set age_out to 1440, nobody is working for 24 hours. Set the age_out time to match a users average day; so if you work from 7-5 on average then make the timeout 600 or 630 to give a little wiggle room.
10-11-2017 06:50 AM
how is your timeout configured on UserID?
your mappings may be timing out causing the gaps in the log, could you share your configuration?
10-11-2017 07:56 AM
FYI.
for similar reasons we have set ours to the following.
User Identification Timeout (min) 1440
so... 24 hours and seems to be OK.
10-12-2017 12:35 PM
I wouldn't set age_out to 1440, nobody is working for 24 hours. Set the age_out time to match a users average day; so if you work from 7-5 on average then make the timeout 600 or 630 to give a little wiggle room.
10-13-2017 12:41 PM
Hello,
Which user-id option are you using to detect the users? Agent, agentless, or wmi? I have a current case open for the User-id agents stop pulling in user data after a while and also currently the Angentless is not ablet o connect to some of my servers, another case. While its not affecting me much at the moment, it is a pain point. I'll update the case if I find out anything.
PANOS 8.0.3 (we are upgrading to 8.0.5 to see if it helps since there seem to be a lot of fixes for the User-id agent.
Agent versions: 8.0.4-5
Regards,
10-14-2017 02:10 AM
I'm using agents, collecting from 12 DC's. Never had an issue until updated to V8.
Agents failed to connect on occasions and when they were collecting we had a strange issue where the current policies were not allowing traffic thriugh for specific groups or users. It was a live system so had to roll back to V7 immediately. Never got chance to diagnose so please update with your findings.
10-16-2017 10:01 AM
Hello @Mick_Ball,
I have also seen this with my smaller deployment. We went ahead and also implemented the Agentless User-ip as as top gap since TAC was not able to find a resolution. I also made sure that I had autodiscover enabled so that it would pick up on Exchange activity. So far it is working, but some of my PAN's lose connectivity to some of my DC's, seems random but I do have a TAC case open.
Sorry I dont have a solution at the moment. Also 8.0.5 has the same issues :(.
I'll update when I have more information.
10-19-2017 12:20 AM
I increased the userid timeout in cache (700minutes), now it working fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
