This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID IP mapping

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID IP mapping

markk96
L3 Networker

‎10-19-2014 06:20 PM

Why does some traffic in the logs not have a user tied to the IP address at times even tho in the logs the IP has a user mapped to it most of the time.  This is causing policy to be dropped down to a different level.

Labels:
0 Likes Likes
5 REPLIES 5

ssharma
L5 Sessionator

‎10-19-2014 06:26 PM

Hi Markk96,

Most likely reason is there is no mapping at that time for that user for various reason. Once you notice that a user does not have user-name in monitor logs, run following commands :

> show user ip-user-mapping ip <ip_address_in_question>

Most probably you won't see a mapping. We need to find why it disappeared for a while, probably due to timeout (but too early to tell). Hope this helps. Thank you.

0 Likes Likes

markk96
L3 Networker
In response to ssharma

‎10-19-2014 06:44 PM

For my IP, if I look at the log, it does not do it often, but if I search my ip, and then look at the time stamp.  19:49:52 no user ID, 19:49:53 my user id, then several with my user ID, and then just a random one without my user id.

0 Likes Likes

ssharma
L5 Sessionator
In response to markk96

‎10-19-2014 07:17 PM

Based on your symptoms, it is most likely management-plane issue. At the end of the session when logs are generated under traffic logs, mp sends information to log receiver, if any of these process or other process are busy then most likely these information would be missed. In those scenario you will see these blank user-names. What is the software version and hardware model of your device. I would suggest restarting just the processes in question if they are running high. Hope this helps. Thank you.

0 Likes Likes

markk96
L3 Networker
In response to ssharma

‎10-19-2014 07:20 PM

Running 6.0.3 and I restarted the HA cluster 2 nights ago to see if that would help the problem.  It did not.

0 Likes Likes

ssharma
L5 Sessionator
In response to markk96

‎10-19-2014 07:26 PM

Other option to troubleshoot would be look at the user id agent's logs to see if there are any information that relates to IP in question. You can run it in debug mode and once you see the issue again, go the same time frame and look for logs related to IP. Thank you.

0 Likes Likes
  • 2872 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks