02-24-2016 08:03 AM
Hi All,
I'm currently experiencing some issues with user-id mapping. Some users are not being mapped to IP addresses.
Current setup: I have 3 domain controllers - all have Service Accounts with correct privileges. They are also showing as 'Connected'
I ran the command 'show user server-monitor state all' on the CLI and noticed that one of the servers showed some failed queries:
Server: A(vsys: vsys1)
Host: 10.2.2.59
num of log query made : 27600
num of log query failed : 2660
num of log read : 647253
Other than this, I can't find anything that could be amiss.
Any ideas please?
Thanks
02-24-2016 08:18 AM
> Uncheck the LDAP Proxy
> check the bind DN is should be in the format : adminstartor@domain.com
> Check the event logs on AD if you are able to see the logon events for any of the test user
> Clear user cache by commad clear user-cache all
02-24-2016 09:29 AM
Yes...it has definitely been enabled that's why some users are being mapped. Some others are not being mapped though
02-24-2016 09:36 AM
Hi Vkalal,
I'm not using the user-id agent so I don't believe i need to Uncheck LDAP Proxy.
I'll clear the cache and test results
02-24-2016 09:49 AM
> You can also check if you are able to see the mappings in mangement plane
show user ip-user-mapping-mp all
02-24-2016 10:27 AM - edited 02-24-2016 10:34 AM
Hi Bocsa,
If you are mapping some users, but not all, could it be that those users are from specific AD group that's not mapped properly?
show user group-mapping state <value>|<all>
show user group-mapping statistics
If that's not the case, can you check logs for that particular user (that is not mapped) on all three servers? Could they be mis-matching? Silly question, but also - are your clocks all the same on servers (do they have same NTP server and are they all updating clock properly?) Reason why I ask is that sometimes, when user mappings are shared between servers but one of them has clock that is slightly off, that can produce unwanted results as it depends what logs are parsed last and what was the event.
If possible, I would also try to simply use only one of three servers temporarily (and test all of them separately, one by one) to see if I will have any missing users when mapping from a single server, that might be faster than looking through the logs of all three servers.
If that is not the case either, and you cannot find much in the logs on the server side, try raising debug level on the user-id daemon; by default it is on info level. From cli, you can set:
debug user-id on dump
run your diagnostics (get problematic user to log on and log off) and than review logs for that username:
less mp-log useridd.log
When "inside" the log, you can use commands from linux's less command - use / to search for username, etc...
once you are done, re-set debug level for user-id by doing:
debug user-id on info
debug user-id get
Last, but not the least - what is the uptime of your device? (you can see that from "show system info" in cli). There was a bug where UserID stopped working after 388 days, but that has been fixed long ago, applies only if you are running an old release. If this is the case, simply restart UserID daemon 🙂
If nothing from above helps.... let us know or reach out to TAC and inform them what have you done already to diagnose this 🙂
Best regards,
Luciano
02-25-2016 03:13 AM
Hi Luciano,
thanks for the suggestions. I'll run some debugs. It definitely hasn't been up for up to 388days.
Is there a way to clear the log query counters on the Palo? ie
Server: (vsys: vsys1)
Host: 192.168.24.51
num of log query made : 1008950
num of log query failed : 50
num of log read : 13225867
last record timestamp : 1456398701
last record time : 20160225111141.782341-000
02-25-2016 05:40 AM
For the users whose user-ip mapping is not coming on the firewall for that users do you have security event logs on any of the domain controller. You have to check the security event logs of all domain controller.
Check if you have configured any included/excluded network on firewall under user-identification or on user-id agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
