Some Users not Mapping in User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Some Users not Mapping in User-ID

L3 Networker

Hi All,

I'm currently experiencing some issues with user-id mapping. Some users are not being mapped to IP addresses.

 

Current setup: I have 3 domain controllers - all have Service Accounts with correct privileges. They are also showing as 'Connected'

 

I ran the command 'show user server-monitor state all' on the CLI and noticed that one of the servers showed some failed queries:

 

Server: A(vsys: vsys1)
Host: 10.2.2.59
num of log query made : 27600
num of log query failed : 2660
num of log read : 647253

 

Other than this, I can't find anything that could be amiss. 

 

Any ideas please?

 

Thanks

9 REPLIES 9

L2 Linker

Have you enabled User Identification on the appropriate zone?

L3 Networker

> Uncheck the LDAP Proxy

> check the bind DN is should be in the format : adminstartor@domain.com

> Check the event logs on AD if you are able to see the logon events for any of the test user

> Clear user cache by commad clear user-cache all

Yes...it has definitely been enabled that's why some users are being mapped. Some others are not being mapped though

Hi Vkalal,

I'm not using the user-id agent so I don't believe i need to Uncheck LDAP Proxy.

 

I'll clear the cache and test results

> You can also check if you are able to see the mappings in mangement plane

   show user ip-user-mapping-mp all

L3 Networker

> What PAN-OS version are you running ?

Hi Bocsa,

 

If you are mapping some users, but not all, could it be that those users are from specific AD group that's not mapped properly?

 

show user group-mapping state <value>|<all>
show user group-mapping statistics

 

If that's not the case, can you check logs for that particular user (that is not mapped) on all three servers? Could they be mis-matching? Silly question, but also - are your clocks all the same on servers (do they have same NTP server and are they all updating clock properly?) Reason why I ask is that sometimes, when user mappings are shared between servers but one of them has clock that is slightly off, that can produce unwanted results as it depends what logs are parsed last and what was the event.

If possible, I would also try to simply use only one of three servers temporarily (and test all of them separately, one by one) to see if I will have any missing users when mapping from a single server, that might be faster than looking through the logs of all three servers.

 

If that is not the case either, and you cannot find much in the logs on the server side, try raising debug level on the user-id daemon; by default it is on info level. From cli, you can set:

 

debug user-id on dump

 

run your diagnostics (get problematic user to log on and log off) and than review logs for that username:

 

less mp-log useridd.log

 

When "inside" the log, you can use commands from linux's less command - use / to search for username, etc...

once you are done, re-set debug level for user-id by doing:

 

debug user-id on info

debug user-id get

 

Last, but not the least - what is the uptime of your device? (you can see that from "show system info" in cli). There was a bug where UserID stopped working after 388 days, but that has been fixed long ago, applies only if you are running an old release. If this is the case, simply restart UserID daemon 🙂

 

If nothing from above helps.... let us know or reach out to TAC and inform them what have you done already to diagnose this 🙂

 

Best regards,

 

Luciano

Hi Luciano,

thanks for the suggestions. I'll run some debugs. It definitely hasn't been up for up to 388days.

 

Is there a way to clear the log query counters on the Palo? ie

 

Server: (vsys: vsys1)
Host: 192.168.24.51
num of log query made : 1008950
num of log query failed : 50
num of log read : 13225867
last record timestamp : 1456398701
last record time : 20160225111141.782341-000

For the users whose user-ip mapping is not coming on the firewall for that users do you have security event logs on any of the domain controller. You have to check the security event logs of all domain controller.

 

Check if you have configured any included/excluded network on firewall under user-identification or on user-id agent.

  • 8762 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!