User-ID agent connects and disconnects in seconds...

Showing results for 
Search instead for 
Did you mean: 

User-ID agent connects and disconnects in seconds...

L4 Transporter

Hey Guys,

Can someone please explain why the User-ID connects and disconnects immediately.  I can see this happening under the system logs thereby this does not populate the source users under the traffic and url logs.

I tried looking up the knowledge base to understand this issue but was unsuccessful.  I then even went through the whole process of configuring the User-ID agent, LDAP and User-ID on the firewall from the beginning.

The box is not in production at the moment as i was doing an Eval.  It wasn't an issue, but out of interest and to seek knowledge posted it.

Many Thanks,



L4 Transporter


What versions of PANOS and User-ID Agent are you running? I have seen some weird behavior with older versions of the User-ID Agent running. Could you also provide the debug log from the agent itself? This could shed some more light on the issue.



PANOS version 4.1.6 and User-ID agent 4.1.3-2.  Unfortunately, I cannot get the debug log from the agent as the customer has uninstalled the agent.  This was happening when the box was placed in VWire mode for evaluation and unfortunately I realized it after the unit was shipped back to me..!!!



It is unfortunate that we don't have access to the User-ID Agent logs, but not the end of the world. If the logs are still on the firewall, you can log into the cli and view the useridd.log for any errors that may point toward a cause of the frequent disconnects.

less mp-log useridd.log

This may provide more detail on the disconnects.



Thanks for the info.. I will get the information and then let you know accordingly....




I did look up the userid logs via the CLI, but they just seem to make no sense to me.  Used less mp-log useridd.log and less mp-log useridd.log.old and both give me the same information.  Please see below:

Please let me know if rings any bells..!!!

Kind Regards,


what port are you using on the agent to connect to the PAN. Try using a port above 10000 and see if that makes any difference.


Syed Hasnain

Used 5007 and 5006.  I will not be able to test it now as it was an evaluation that I was doing for a customer.  All this was realised after the box was pulled out from virtual wire mode (end of evaluation). Smiley Sad

So will not be able to do anything now.

Here is simple question..

Where is the User-ID agent installed on?

If installed ON the Domain Controller itself.. it is not recommended.

Also, if installed ON a Windowd 2008 R2 server, that also is not supported, unless we have a 2008R2 client available.

It is recommended to install on a Windows 2003 server that can talk with the Domain controllers.

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!

How come its not recommended to install it on the DC itself?

If we take larger installations there will be shitloads of networktraffic for the userid agent when its tailing the security logs of all DC servers (specially when you have more than a few DC servers in your network).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!