08-08-2013 09:15 AM
I am running OS 4.0.12 and have an issu with the user-ID / mappings not populating in the logs.
show user pan-agent statistics:
IPs Activity Timer(s) Domain Index
ncmpdcden01 10.250.12.10 5009 vsys1 *connected, ok 989 906
651185 21844256 600 ncm 0
show user ip-user-mapping:
IP Ident. By User Idle Timeout (s) Max.
Timeout (s)
Total: 0 users
I read in documentation how to restart the service via the PAN CLI, but the debug user-id, etc command is not available in 4.0.12... How can I restart the user-id connection? Or is there a better way to correct this issue? The PAN service on the DC's have already been restarted.
Thanks!
08-08-2013 09:43 AM
You can restart the user-id process on the 4.0.12, by restarting the device server.
>debug software restart device-server
Hope that helps.
BR,
Karthik
08-08-2013 09:47 AM
Will the >debug software restart device-server command impact traffic?
For an HA pair, should this command be executed on each one or just the active?
08-08-2013 09:55 AM
Just running the command on the Active device should be enough and it should ideally not affect the traffic as device server is a module that belongs to the management plane.
08-08-2013 10:00 AM
The device server takes care of pushing configuration to the DP, and is also responsible for URL filtering requests/responses, along with handling user id functions. The device server usually comes up real quick after we restart the service. But you can still execute the command after office hours to be on a safer side.
You can execute this command on the active, and the active firewall will synchronize the new information that it learnt after restarting the device server to its peer.
Best regards,
Karthik
08-08-2013 10:33 AM
After running the command, I still do not see user ID's populating in the logs, etc. Any other ideas?
08-08-2013 10:43 AM
Please try the steps mentioned in these links.
https://live.paloaltonetworks.com/docs/DOC-3053
https://live.paloaltonetworks.com/docs/DOC-1431
https://live.paloaltonetworks.com/docs/DOC-1308
Can you attach the output of the command,
>tail lines 500 mp-log devsrvr.log
Best regards,
Karthik
08-08-2013 10:57 AM
we had the same issue with panagent before.I cannot be sure if they are the same issue but restarting services and also management plane did not solve our issue.it was fixed with reboot completely
08-08-2013 12:10 PM
I went through the documentation and verified settings, etc. The agent is connected... but not reporting any data to populate the user-id in the logs. Any other suggestions?
08-08-2013 12:16 PM
Have you tried restarting the user-id service on the machine on which the pan_agent is installed?
08-08-2013 12:29 PM
Yes. Service on the domain controller was restarted. Pan agent shows connected:
Name IP Address Port Vsys State Users Grps
IPs Activity Timer(s) Domain Index
---------------- --------------- ----- ------- ------------------ ------ ------
-------- -------- -------- --------------- -----
ncmpdcden01 10.250.12.10 5009 vsys1 *connected, ok 989 906
156050 21854450 600 ncm 0
08-08-2013 12:30 PM
Do you see Mappings on the Agent?
If yes, try to delete the User-ID config ,commit the config and then Re-add User-ID >another commit.
P.S: If above steps do not work and You can afford a production traffic hick-up try :
> debug device-server reset id-manager type all
followed by commit.
I would suggest opening a Case with support to report this issue.
08-09-2013 05:03 PM
If it was working at one point and then it stopped working and you are using user id agent which is installed somewhere. I would recommend you make sure that the mapping is showing up in the user id agent before restarting anything.
If the mapping is showing on the user id agent and there is not Access control List created on it.
After that has been verified make sure you do not have a service route for user id agent created on the firewall
device---> setup---> service
Then make sure on the firewall if your managment traffic is passing through your dataplane ports.
If it is, then verify that you are not blocking the traffic.
Also make sure that your user id agent are connected to the firewall.
One more important thing to check is, in ldap profile where it has domain box. verify it is netbios domain name and not dns.
Hope this helps.
Thanks
08-12-2013 01:17 PM
As panos said... We also had the exact same issue (though we were using 4.1.6 at the time). We spent around 2.5 hours with Palo Engineers trying to figure it following all of the regular steps and removing all settings and re-adding and removing the agent and re-adding. After a system reboot everything started working again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
