11-30-2020 04:12 AM
In recent weeks we've had a problem reported where one minute a site will be accessible for instance Youtube and then it won't be and then it will and it goes on, after looking in the logs when the connection to Youtube fails is when the log show no USER-ID when it works it shows a local USER-ID. We use an AD group for access to general internet and have this configured on the corresponding rule.
I've tried troubleshooting looking at various knowledgbase articles but haven't found any reason why sometimes USER-ID's are correct and and sites can be accessed and then othertimes they can't its also not happeing for all sites accessed at the sametime it may not work for Youtube but it will work for Google.
Can anyone give me any ideas why this might be happeneing?
Thanks
Jon
11-30-2020 08:55 AM - edited 11-30-2020 08:58 AM
Can you provide more information?
What version of PanOS?
Are you using samaccountname and userprincipalname?
Do you have the user-id agent parsing every single sec-event-log on every DC?
Do you have "enable user-id" on for every internal zone?
Do you use Terminal Services? If so do you have that agent in that environment as well?
Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured.
I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.
For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows.
> show user ip-user-mapping all | match ken
IP VSYS Source user idletimeout maxtimeout
10.10.10.10 vsys1 UIA ken 2715 2715
Can the firewall get the updated ldap group membership?
> show user group list
cn=blah.blah.f00
> show user group name cn=blah.blah.f00
>show user group-mapping state f00
Servers : configured 2 servers
Last Action Time: 336 secs ago(took 12 secs)
Next Action Time: In 3264 secs
02-08-2021 05:20 AM
Apologies for not replying sooner its been manic here and this is the first chance I’ve got to reply to your questions.
Thanks
Jon
What version of PanOS? 9.08
Are you using samaccountname and userprincipalname? Just samaccountname
Do you have the user-id agent parsing every single sec-event-log on every DC? Yes
Do you have "enable user-id" on for every internal zone? No, just our two Trust zones, WAN and Internet.
Do you use Terminal Services? If so do you have that agent in that environment as well? We don’t use Terminal Services in our environment but do use VDI.
Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured.
I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.
For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows.
> show user ip-user-mapping all | match ken
jhill@PHMDP01_PAN5250(active)> show user ip-user-mapping all | match jhill
10.170.38.229 vsys1 UIA ulh\jhill 867 867
10.130.239.12 vsys1 UIA ulh\jhill 868 868
Can the firewall get the updated ldap group membership?
Yes it can.
> show user group list
cn=blah.blah.f00
> show user group name cn=blah.blah.f00
It pulls back all the users in a group
>show user group-mapping state
Servers : configured 4 servers
02-08-2021 12:29 PM
So first thing to look at is actually your User Identification Timeout value is. Usually with issues like this the entry is simply aging off because activity isn't being recorded in the AD logs within the specified timeout value, so the firewall allows the ip-user-mapping to age off because it hasn't seen any user-id activity in the allotted timeframe.
02-09-2021 01:51 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
