User-ID: User-IP mapping is 'unknown' for some AD users

Pankaj_Dhobe · ‎01-23-2023

Hi Everyone,

We are facing issue with Agentbased User-ID agent 10.1.0-21 and the PanOS version 10.0.1

User-IP-Mapping shows unknown for some of the users.

>show user ip-user-mapping ip x.x.x.x

IP address: x.x.x.x (vsys1)
User: unknown
From: Unknown
Idle Timeout: 0s
Max. TTL: 3s
HIP Query: Disabled

>tail follow yes mp-log useridd.log

2023-01-18 15:36:43.369 +0100 Error: pan_vsys_getaddrinfo(pan_dnsproxyd_sysd_api.c:1722): [DNS_API] getaddrinfo() failed 1, Unknown error!
2023-01-18 15:36:43.369 +0100 Error: pan_user_id_agent_resolve_ip(pan_user_id_agent.c:1948): pan_vsys_getaddrinfo failed for host=lb_domaincontroler1.abcd.com
2023-01-18 15:36:43.369 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com
2023-01-18 15:36:45.557 +0100 Error: pan_vsys_getaddrinfo(pan_dnsproxyd_sysd_api.c:1722): [DNS_API] getaddrinfo() failed 1, Unknown error!
2023-01-18 15:36:45.557 +0100 Error: pan_user_id_agent_resolve_ip(pan_user_id_agent.c:1948): pan_vsys_getaddrinfo failed for host=lb_domaincontroler1.abcd.com
2023-01-18 15:36:45.557 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com
2023-01-18 15:36:46.159 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1669): log query for ABCD-AD1 failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2023-01-18 15:36:46.159 +0100 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1340): WMIC message from server ABCD-AD1: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

Executed all the commands in the documents, cleared cache and refreshed User-ID-Agent and Group Mapping.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK

Can anyone help me in this to fix it.

Thanks in Advance

aleksandar.astardzhiev · ‎01-23-2023

Hi @Pankaj_Dhobe ,

From the provided logs it looks like your firewall is not able to resolve the FQDN that you use for the user-ip-mapping.

2023-01-18 15:36:45.557 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com

Because of this your FW is not able to reach the User-ID agent that is running on this host. In nut shell your FW is not able to communicate with the server where User-ID agent is running.

So at first step you should verify firewall can resolve the FQDN (or just use IP address) and then verify connectivity between FW and user-id agent.

TomYoung · ‎01-23-2023

Hi @Pankaj_Dhobe ,

What is your cache timeout set to? I have noticed with some customers that they authenticate only in the morning. They would have User-ID mappings in the morning, but not during the day. I increased the cache timeout to 10 hours so they would have the mappings all day (work day). Here is a doc where you can determine if it is a cache timeout issue -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uu5CAE&lang=en_US%E2%80%A....

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Pankaj_Dhobe · ‎01-23-2023

Hi @aleksandar.astardzhiev

Out of the 281 users, 58 are showing unknown. So connectivity is there as other users are authenticating successfully.

>show user ip-user-mapping all option count

Total: 281 users

> show user ip-user-mapping all option count type UNKNOWN

Total: 58 users

aleksandar.astardzhiev · ‎01-23-2023

Hi @Pankaj_Dhobe ,

In that case I am not sure that the logs you have share are relevant to your problem. I would still suggest to verify your firewall have stable connection to the user-id agent server and DNS resolution is working as expected.

Back to your problem

- get one of the IP addresses, that are currently unknown on the firewall

- go to the user-id agent GUI and check its log if it has it in its logs

Go to Monitoring and search for that IP. Do you see it there?

Go to Logs, do you see any "failed" logs? Note logs here will start populate from the moment you navigate to the log tab (you wouldn't see old logs here). If there are any error, you may want to set the log level to debug

In additional note:

- Have you noticed any pattern in the unknown and know addresses? Does unknown IP share the same subnet(s)? Do you see successful user-ip-mapping for IP from the same subnet from which you see unknown?

- Is your user-id agent configured with any inclusion/exclusion? User Identification -> Discovery

- Is your firewall zone configured with any inclusion/exclusion? Network -> Zones -> User Identification ACL)

I just noticed the odd firewall version that your are running. Note that 10.0 is officially out of support, but more importantly 10.0.1 is the very first maintenance release for 10.0, which naturally could be full of bugs.

I don't like start looking for bugs before you have eliminated any other possible reason, but at the same time running such early OS version (when there is so many bug fixes released) is like you want your firewall to crash 🙂

DellaHale · ‎02-10-2023

Thanks for the help.

.

Unlock your full community experience!

User-ID: User-IP mapping is 'unknown' for some AD users

User-ID: User-IP mapping is 'unknown' for some AD users

Show your appreciation!