User-ID stopped populating mappings - OS 4.0.12

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID stopped populating mappings - OS 4.0.12

Not applicable

I am running OS 4.0.12 and have an issu with the user-ID / mappings not populating in the logs. 

show user pan-agent statistics:

IPs      Activity Timer(s) Domain          Index

ncmpdcden01    5009  vsys1   *connected, ok     989    906

651185   21844256 600      ncm             0

show user ip-user-mapping:

IP              Ident. By User                             Idle Timeout (s) Max.

Timeout (s)

Total: 0 users

I read in documentation how to restart the service via the PAN CLI, but the debug user-id, etc command is not available in 4.0.12...  How can I restart the user-id connection?  Or is there a better way to correct this issue?  The PAN service on the DC's have already been restarted.



Yes.  Service on the domain controller was restarted.  Pan agent shows connected:

Name             IP Address      Port  Vsys     State             Users  Grps

IPs      Activity Timer(s) Domain          Index

---------------- --------------- ----- ------- ------------------ ------ ------

-------- -------- -------- --------------- -----

ncmpdcden01    5009  vsys1   *connected, ok     989    906

156050   21854450 600      ncm             0

Do you see Mappings on the Agent?

If yes, try to delete the User-ID config ,commit the config and then  Re-add User-ID >another commit.

P.S: If above steps do not work and You can afford a production traffic hick-up try :

> debug device-server reset id-manager type all

followed by commit.

I would suggest opening a Case with support to report this issue.

L5 Sessionator

If it was working at one point and then it stopped working and you are using user id agent which is installed somewhere. I would recommend you make sure that the mapping is showing up in the user id agent before restarting anything.

If the mapping is showing on the user id agent and there is not Access control List created on it.


After that has been verified make sure you do not have a service route for user id agent created on the firewall

device---> setup---> service


Then make sure on the firewall if your managment traffic is passing through your dataplane ports.

If it is, then verify that you are not blocking the traffic.

Also make sure that your user id agent are connected to the firewall.


One more important thing to check is, in ldap profile where it has domain box. verify it is netbios domain name and not dns.

Hope this helps.


L4 Transporter

As panos said... We also had the exact same issue (though we were using 4.1.6 at the time). We spent around 2.5 hours with Palo Engineers trying to figure it following all of the regular steps and removing all settings and re-adding and removing the agent and re-adding. After a system reboot everything started working again.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!