UID Redistribution SSL Errors

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

UID Redistribution SSL Errors

L4 Transporter

Hoping someone else has run into this.  I have been implementing UID redistribution in our PAN environment.  I've stumbled across a few firewalls that will not establish a connection on port 5007, once the UID service is moved off of the default Mgmt interface (yes, appropriate firewall rules are in place).  The system logs spit out an error like this:

 

User-ID Agent datacenter_redist_1(vsys1): Error: Failed to Connect to xxx.xxx.xxx.xxx(source: xxx.xxx.xxx.xxx), SSL error: error:00000000:lib(0):func(0):reason(0)(5) details: none

 

I was able to replicate this in the lab and found the error might be related to failover to the PASSIVE firewall.  Upon failover I found this in the useridd.log:

 

Error: pan_ssl_conn_open(pan_ssl_utils.c:755): pan_tcp_sock_open() to xxx.xxx.xxx.xxx port 5007 failed; errno=150

 

Any ideas or suggestions would be appreciated.

 

5 REPLIES 5

L4 Transporter

Hi Jeremy,

 

Did you resolve this issue ?

 

I am getting the same issue. 

 

Error: pan_user_id_agent_open_conn_i(pan_user_id_uia.c:2556): pan_user_id_ssl_conn_open(192.168.26.249) failed: Error: Failed to Connect to 192.168.26.249(source: 192.168.26.200), SSL error: error:00000000:lib(0):func(0):reason(0)(5)

 

 

Snow

L1 Bithead

Were you able to fix it ? I am getting the same issue after doing failover.

Hi Udupi,

 

Still not resolved. 

Snow

Hi,

 

I ran into the same issue about 2 months ago.  I restarted the userid process on one of my UserID box and that addressed the issue, that pair was using content update older than 8507.    After that I upgraded all the UserID redist firewall newer content (>8507),  I don't have that same issue again.     Can you check if the firewall content release version is newer than 8507?

 

  • (12/21/2021; updated 1/13/2022) A certificate used by PAN-OS software to authenticate to the WildFire Private Cloud appliance (WF-500) and URL Filtering Private Cloud appliances (M-500 and M-600 in Private URL Filtering Cloud mode) and that impacts User-ID redistribution expired on December 31, 2021. We released Emergency Content release version 8507 on December 21, 2021, to update this certificate so that PAN-OS appliances can authenticate to these private cloud appliances. Immediate action is required for all of your PAN-OS appliances that use either the WF-500 WildFire Private Cloud appliance or the M-500 or M600 appliances in Private URL Filtering Cloud mode.

    UPDATE:
     User-ID redistribution is also impacted and requires that you complete additional steps before you are able to utilize the renewed certificate. If you have not already done so, you must update your appliances to Content release version 8507 or a later version to ensure that these appliances (including hardware firewalls, VM-Series virtual firewalls, and CN-Series container firewalls) will continue or again connect to WF-500 and URL Filtering private cloud appliances. Please refer to the customer advisory for detailed information about utilizing your renewed certificate.

 

L4 Transporter

I restarted the userid process on one of my UserID box and that addressed the issue, that pair was using content update older than 8507. I don't have that same issue again.

 

 

It is working for me. 

Snow
  • 4755 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!