User-ID stopped populating mappings - OS 4.0.12

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID stopped populating mappings - OS 4.0.12

Not applicable

I am running OS 4.0.12 and have an issu with the user-ID / mappings not populating in the logs. 

show user pan-agent statistics:

IPs      Activity Timer(s) Domain          Index

ncmpdcden01      10.250.12.10    5009  vsys1   *connected, ok     989    906

651185   21844256 600      ncm             0

show user ip-user-mapping:

IP              Ident. By User                             Idle Timeout (s) Max.

Timeout (s)

Total: 0 users

I read in documentation how to restart the service via the PAN CLI, but the debug user-id, etc command is not available in 4.0.12...  How can I restart the user-id connection?  Or is there a better way to correct this issue?  The PAN service on the DC's have already been restarted.

Thanks!

13 REPLIES 13

L5 Sessionator

You can restart the user-id process on the 4.0.12, by restarting the device server.

>debug software restart device-server

Hope that helps.

BR,

Karthik

Will the >debug software restart device-server command impact traffic?

For an HA pair, should this command be executed on each one or just the active?

Just running the command on the Active device should be enough and it should ideally not affect the traffic as device server is a module that belongs to the management plane.

The device server takes care of pushing configuration to the DP, and is also responsible for URL filtering requests/responses, along with handling user id functions. The device server usually comes up real quick after we restart the service. But you can still execute the command after office hours to be on a safer side.

You can execute this command on the active, and the active firewall will synchronize the new information that it learnt after restarting the device server to its peer.

Best regards,

Karthik

After running the command, I still do not see user ID's populating in the logs, etc.  Any other ideas?

Please try the steps mentioned in these links.

https://live.paloaltonetworks.com/docs/DOC-3053

https://live.paloaltonetworks.com/docs/DOC-1431

https://live.paloaltonetworks.com/docs/DOC-1308

Can you attach the output of the command,

>tail lines 500 mp-log devsrvr.log

Best regards,

Karthik

L6 Presenter

we had the same issue with panagent before.I cannot be sure if they are the same issue but restarting services and also management plane did not solve our issue.it was fixed with reboot completely

I went through the documentation and verified settings, etc.  The agent is connected...  but not reporting any data to populate the user-id in the logs.  Any other suggestions?

Have you tried restarting the user-id service on the machine on which the pan_agent is installed?

Yes.  Service on the domain controller was restarted.  Pan agent shows connected:

Name             IP Address      Port  Vsys     State             Users  Grps

IPs      Activity Timer(s) Domain          Index

---------------- --------------- ----- ------- ------------------ ------ ------

-------- -------- -------- --------------- -----

ncmpdcden01      10.250.12.10    5009  vsys1   *connected, ok     989    906

156050   21854450 600      ncm             0

Do you see Mappings on the Agent?

If yes, try to delete the User-ID config ,commit the config and then  Re-add User-ID >another commit.

P.S: If above steps do not work and You can afford a production traffic hick-up try :

> debug device-server reset id-manager type all

followed by commit.

I would suggest opening a Case with support to report this issue.

L5 Sessionator

If it was working at one point and then it stopped working and you are using user id agent which is installed somewhere. I would recommend you make sure that the mapping is showing up in the user id agent before restarting anything.

If the mapping is showing on the user id agent and there is not Access control List created on it.

Capture.JPG

After that has been verified make sure you do not have a service route for user id agent created on the firewall

device---> setup---> service

Capture.JPG

Then make sure on the firewall if your managment traffic is passing through your dataplane ports.

If it is, then verify that you are not blocking the traffic.

Also make sure that your user id agent are connected to the firewall.

Capture.JPG

One more important thing to check is, in ldap profile where it has domain box. verify it is netbios domain name and not dns.

Hope this helps.

Thanks

L4 Transporter

As panos said... We also had the exact same issue (though we were using 4.1.6 at the time). We spent around 2.5 hours with Palo Engineers trying to figure it following all of the regular steps and removing all settings and re-adding and removing the agent and re-adding. After a system reboot everything started working again.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
  • 5183 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!