I have the PAN Terminal Server Agent installed on several Windows 2008 servers. The service works fine and I have no problems with geting the UserID info when the service is running. The problem is that when the server is rebooted, the service does not automatically start up, causing it to need to be manually started. Is this the expected behavior?
I had experienced the same issues in the past with the user-id agent not working after server restart. The agent was attempting to start after a reboot before active directory services were started, therefore the service fails to start with the configured service account.
To fix this I simply set a recovery timer on that service. Open services and browse to User-ID Agent. Open the properties and click on the Recovery tab. After the first 2 failures configure the service to restart again after 1 minute. I found there was no need to configure the subsequent failures as 2 minutes is more than enough time to ensure that all relevant services had been started for the User-ID agent to start.
As my previous posted had stated setting the 'recovery' options can be a good method to ensure that the user-id agent service is running at all times.
I have since discovered that this method does not work in all cases after a server reboot. The 'recovery' tab and subsequent restart after failure will only work on a service 'crash'. If the service does not restart due to failed login etc (AD wasn't started yet) the recovery tab won't actually ever come into play.
To counter this, the service can be configured to start with a delay. This means that the service will start shortly after all other services designated as Automatic have been started. This is generally 1-2 minutes after the computer boots.
I find that I am unable to change the Startup Type value to Automatic (Delayed Start). I get this error when saving:
"The delayed auto-start flag could not be set. Error 87: The parameter is incorrect."
I believe this is because the services are part of a Service Group. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PANTAD and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PanTaService both have Group set to TDI, making them part of what is apparently the Transport Driver Interface service group.
I can understand why services are not allowed to be delayed when they are supposed to be starting as part of a group. But I am still without a solution.
I just found documentation regarding the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\TS Agent\Adv\DelayStart key and will probably give that a try.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!