User-ID stopped working / Failed to add group to id manager

cancel
Showing results for 
Search instead for 
Did you mean: 

User-ID stopped working / Failed to add group to id manager

L1 Bithead

Hi Folks,

 

just to let you know, since I found no KB Articel for this issue. Policy Push from Panorama respectively local Commit on the Firewalls ended in strange Error Message according Group Assignment to Policy.

 

vsys1
Error: Failed to add group to id manager
Error: Failed to parse security policy
(Module: device)
Commit failed

 

Cure comes with CLI Command: "debug user-id reset user-id-manager type user-group"

-> configure
-> commit force

 

Works like a charme!

1 REPLY 1

L1 Bithead

This can work for most commit issues as well (from my experience). I would like to add a note on what I was seeing here to maybe help others. I have "Group Mapping Settings" pushed from Panorama to my devices globally, sadly the "Groups Included List" does not work properly when pushed to devices. I have to go in and override the mappings on each device removing the include groups and adding them back in the override.

A commit force does work from the local device but when pushing the Template and Group Config you still get:

  • Details:
  • . vsys1
  • . Error: Failed to add group to id manager
  • . Error: Failed to parse security policy
  • . (Module: device)
  • . Commit failed

This is where the override comes in to fix this on the Panorama push. The issue here is the firewall(s) don't have the group mapped that is being used in the security policy. Again this is because Panorama does not properly populate the included groups in the Group Mapping config.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!