We have been using the User-ID Agent and it has been working for over a year. On the 17th, the PAN stopped populating the traffic log with the user-id information. The Agent is working fine (user ids show up in the monitor) and the PAN is connecting the Agent, but no user information is showing up. I have checked through the config logs, and nothing has been changed besides some reverse NAT rules. There were server updates done at the same time (microsoft security updates) so that could be the issue, but I thought I would throw it out to the community to see if anyone else has had this happen to them recently. I am using ver 4.1.6.
If all info seem to be ok on the agent and be able to see user / IP mapping in then look in the PA: show user ip-user-mapping all
Is there any info ?
No, mean Pan has no user info in memory => either bug in Pan or communication issue between agent and pan
Yes mean mapping is ok. Are you sure that nobody (everybody have a ghost on his network) disable user identification on your Zone ? Rgds
Just as an update.
I have been in contact with TAC with no joy so far. The PAN sows the userID for a very small fraction of the connections where it used to show the userid for all connections. I have been asked to upgrade to the newest software to see if that resolves the issue.
You might want to triple check that you have all domain controllers listed in the User-ID agent(s). We had our systems admins add a new domain controller without telling the firewall admins and noticed similar strange results. Tech support did not think to check for that but once we added in the new DC everything cleared up.
Thanks for the reply. I did check that all of the domain controllers were added. I event tried removing the configs for user-id and re-adding them with no success.
I noticed a similar issue with a newly installed device. Our problem came down to the network Zone not having the "Enable User Identification" flag set. So perhaps double check and make sure that hasn't gotten cleared on any of your network zones?
And what was your output from running show user ip-user-mapping all at the command line?
We have verified that "Enable User Identification" flag is set for the zones in question (and have disabled and re-enabled them).
show user ip-user-mapping all is blank.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!