User-ID limitations for distribution

cancel
Showing results for 
Search instead for 
Did you mean: 

User-ID limitations for distribution

L0 Member

Hi folks !

 

Would like your advice on a specific issue about user-id limitations : 

One of our customer is using one central firewall to redistribute user-id mapping to more than 100 devices, and has issues about user-id process crashing on the central fw.

As far as i understood limitations on user-id redistribution, there is a limit of 100 redistribution points beneath each firewall, which is not the case, as this central fw is retrieving infos from 2 user-id agents only. It just spreads these infos to more than one hundred devices. Each remote device only has like 3 layers beneath it.

So, is this normal behavior, or is there a trick here to make it work ?

 

Subsidiary question, the windows user-id agent sometimes generates more than 150gb of traffic in a day (1gb maximum in normal times), if anyone has an idea 😉

 

Thx !

 

3 REPLIES 3

Community Team Member

Hi @ssavariau ,

 

What hardware are you running and what PAN-OS version ?

Have you checked the firewall logs for a root cause of the UID crashing ? Are there any core-files that can be analyzed ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Hi Kiwi,

Firewalls are a 3220 for the hub, and 220s for spoke, running on PAN-OS 9.0.0

On the hub, distributord process was shown as running, but we still had to run CLI command "debug software restart process distributord" to make it functional again. At the time of this crash, an investigation was done, and that was the immediate solution found to correct it.

If we cannot spread user-id mapping to more than 100 devices from only one, we'll need to take a more hierarchical approach i think ?

Thx for your time !

 

Cheers

Cyber Elite
Cyber Elite

@ssavariau,

9.0 just went end of life at the beginning of this month, so you'll need to get these to 9.1 or higher sooner rather than later. If you choose to open a chase on the issue, they'll tell you to upgrade before continuing to troubleshoot I'm sure so be aware of that. If you upgrade to a supported release and run into the issue again, then you can open a TAC case and have them identify root cause on why the process locked up, it could easily be some bug in the process you're running into. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!