06-05-2013 07:37 AM
I have 3 separate domains on my network and they are not trusted together. On my main domain where the firewall is installed the agent shows green, however when I install the agent under the remote domains (on different subnets across the country) the icon is red. The settings match my 2 main domain controllers that are working. When I look at the remote DCs they are reading the log files. Also port 5007 is reachable from the outside. Any thoughts on why they aren't connecting? I am not seeing any details as to why.
06-05-2013 07:51 AM
Hi,
Try to configure different port for each agent on your palo
AD1 - port 5007
AD2 - port 5008
AD3 - port 5009
and of course be sure that your palo is able to contact each of your agent 🙂 through the management interface by default
Should solve your issue
V.
06-05-2013 07:54 AM
I am using the Windows agent (not the one on the PAN) are you suggesting that I change the port on my remote DCs?
06-05-2013 07:56 AM
Hi,
no, just in both palo (device / User Identification / User-IDAgent) and on each agent, just the comunication port. No change on the AD
V.
06-05-2013 07:59 AM
I have the agents running on my remote domain controllers. I changed to port 5008 on a remote domain controller (where the agent is running) and to 5008 on the PAN. Still showing red.
06-05-2013 08:09 AM
sure that communication on port 5008 is possible from management interface on the palo and your remote AD ?
No FW on the AD ?
Which Pa model ?
Which version on the PA ?
Which version on the agent ?
V.
06-05-2013 08:12 AM
I can ping between management interface and remote DCs and open a telnet session to the remote agent ports. I am running a 3020 with version 5.0.5. Also the agent is the latest 5.0.4-5
06-05-2013 08:21 AM
Please run
show user user-id-agent state Name-Agent
show user user-id-agent statistics
V.
06-05-2013 08:27 AM
Host: 172.16.109.2:5009
Status: not-conn:idle(Error: Failed to connect to User-ID-Agent at 172.16.109.2(172.16.109.2):5009)
num of connection tried : 75
num of connection succeeded : 0
num of connection failed : 75
REMOTESVR1 172.16.109.2 5009 vsys1 not-conn:Connecting 0
06-05-2013 08:45 AM
Either something is blocked between manegemnt and remote agent (something in logs ?) or it's a bug then contact your local SE.
V.
06-05-2013 10:11 AM
do you have a security rule for your management ip ?
since they are not trusted try to add a rule for management at top (if you don't have)
and see what you see in monitor logs for destination ip filter address of 2 agents seperately
Do you have any service route configuration ? also check if you are using management port for everything or not ?
06-05-2013 11:45 AM
I do not have any security rules currently for my management IP. All user-id agents are coming from the Inside trusted zone. I am noticing that the PAN is dropping traffic for these when running a packet capture. When I configure the service route for user-id agent traffic and use my LAN interface instead of management all agents are working and connect. I am not sure where the PAN is dropping traffic however.
06-05-2013 11:50 AM
so write a rule for management ip
06-05-2013 11:52 AM
I'll try this, but what zone would I use for the management IP?
06-05-2013 11:56 AM
if it's default gateway is in LAN zone then it'll be LAN zone.You can write any any with source ip only.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
