source user showing as unknown in traffic monitor

Showing results for 
Show  only  | Search instead for 
Did you mean: 

source user showing as unknown in traffic monitor

L1 Bithead

Found an issue on a customer's firewall.  For some reason, the “source user” becomes unknown while students are using a web application called Istation.  When that happens, the web traffic for that IP address becomes blocked by another policy.  She wrote a specific policy for Istation traffic even if the user is unknown to resolve this issue.   But the real question is….Why is the “source user” blanking out in the middle of using a web application?

Appreciate your thoughts and suggestions.



L3 Networker

I'm fighting a similar issue on my side especially with users on VPN getting the wrong web-filtering policy. I have not seen the 'unknown' source user, its usually just he username on the VPN without the domain (in my case so this is why they get the wrong policy). Support did provide guidance on this for me, perhaps they can do the same for you?

Another thing that just occurred to me, how many user-id agents are you using or are you using the PAN's for the direct lookup?

haven't opened a case yet...we may try to upgrade to at least 6.0.7 and see if that helps. The agent is installed on one server.

I would say depending on the size of the environment including AD, I would recommend bumping that number up to maybe two or three. That way if one is not responding or up, you have something to refer to.

L5 Sessionator

A couple of my customers hit similar issue.

Does your firewall run over 388 days?

There is one fixed issue which is bug#64166. (you can find it in 5.0.14 RN or 6.0.4 RN.

L3 Networker

Sounds like the user is caching out. Nothing to do with the application. I'm assuming these computers are part of the domain since you do pick up the user initially through the user-ID agent. Did you enable "Server session monitoring" in the userID agent? Also is WMI probing enabled and working? Both these mechanisms will help keep the user to IP mappings fresh.

L1 Bithead

@emr-the box has not been up that long. Thanks

@Quinton- not sure on the session monitoring..I will check. Will also check WMI probing. How would I know if it is working or not?? These are actually wireless users, if that matters.


Wireless is no problem. Are these devices part of the Windows domain?

L3 Networker

Do you use wmi probing?

What do you see with the following command: debug user-id dump probing-stats

If you use probing and it fails three times to get a user from the client, the already mapped user will be deleted for the IP address.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!