In recent weeks we've had a problem reported where one minute a site will be accessible for instance Youtube and then it won't be and then it will and it goes on, after looking in the logs when the connection to Youtube fails is when the log show no USER-ID when it works it shows a local USER-ID. We use an AD group for access to general internet and have this configured on the corresponding rule.
I've tried troubleshooting looking at various knowledgbase articles but haven't found any reason why sometimes USER-ID's are correct and and sites can be accessed and then othertimes they can't its also not happeing for all sites accessed at the sametime it may not work for Youtube but it will work for Google.
Can anyone give me any ideas why this might be happeneing?
Can you provide more information?
What version of PanOS?
Are you using samaccountname and userprincipalname?
Do you have the user-id agent parsing every single sec-event-log on every DC?
Do you have "enable user-id" on for every internal zone?
Do you use Terminal Services? If so do you have that agent in that environment as well?
Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured.
I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.
For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows.
> show user ip-user-mapping all | match ken
IP VSYS Source user idletimeout maxtimeout
10.10.10.10 vsys1 UIA ken 2715 2715
Can the firewall get the updated ldap group membership?
> show user group list
> show user group name cn=blah.blah.f00
>show user group-mapping state f00
Servers : configured 2 servers
Last Action Time: 336 secs ago(took 12 secs)
Next Action Time: In 3264 secs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!