User-ID: User-IP mapping is 'unknown' for some AD users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID: User-IP mapping is 'unknown' for some AD users

L0 Member

Hi Everyone,

 

We are facing issue with Agentbased User-ID agent 10.1.0-21 and the PanOS version 10.0.1

User-IP-Mapping shows unknown for some of the users.

 

>show user ip-user-mapping ip x.x.x.x

IP address: x.x.x.x (vsys1)
User: unknown
From: Unknown
Idle Timeout: 0s
Max. TTL: 3s
HIP Query: Disabled

 

>tail follow yes mp-log useridd.log

2023-01-18 15:36:43.369 +0100 Error: pan_vsys_getaddrinfo(pan_dnsproxyd_sysd_api.c:1722): [DNS_API] getaddrinfo() failed 1, Unknown error!
2023-01-18 15:36:43.369 +0100 Error: pan_user_id_agent_resolve_ip(pan_user_id_agent.c:1948): pan_vsys_getaddrinfo failed for host=lb_domaincontroler1.abcd.com
2023-01-18 15:36:43.369 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com
2023-01-18 15:36:45.557 +0100 Error: pan_vsys_getaddrinfo(pan_dnsproxyd_sysd_api.c:1722): [DNS_API] getaddrinfo() failed 1, Unknown error!
2023-01-18 15:36:45.557 +0100 Error: pan_user_id_agent_resolve_ip(pan_user_id_agent.c:1948): pan_vsys_getaddrinfo failed for host=lb_domaincontroler1.abcd.com
2023-01-18 15:36:45.557 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com
2023-01-18 15:36:46.159 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1669): log query for ABCD-AD1 failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2023-01-18 15:36:46.159 +0100 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1340): WMIC message from server ABCD-AD1: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

 

Executed all the commands in the documents, cleared cache and refreshed User-ID-Agent and Group Mapping.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR1CAK

 

Can anyone help me in this to fix it.

 

Thanks in Advance

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @Pankaj_Dhobe ,

From the provided logs it looks like your firewall is not able to resolve the FQDN that you use for the user-ip-mapping.

 

2023-01-18 15:36:45.557 +0100 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1613): failed to resolve ip for lb_domaincontroler1.abcd.com

 

Because of this your FW is not able to reach the User-ID agent that is running on this host. In nut shell your FW is not able to communicate with the server where User-ID agent is running.

 

So at first step you should verify firewall can resolve the FQDN (or just use IP address) and then verify connectivity between FW and user-id agent.

Cyber Elite
Cyber Elite

Hi @Pankaj_Dhobe ,

 

What is your cache timeout set to?  I have noticed with some customers that they authenticate only in the morning.  They would have User-ID mappings in the morning, but not during the day.  I increased the cache timeout to 10 hours so they would have the mappings all day (work day).  Here is a doc where you can determine if it is a cache timeout issue -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uu5CAE&lang=en_US%E2%80%A....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @Astardzhiev 

 

Out of the 281 users, 58 are showing unknown. So connectivity is there as other users are authenticating successfully.

 

 

>show user ip-user-mapping all option count

Total: 281 users

 

> show user ip-user-mapping all option count type UNKNOWN

Total: 58 users

 

Hi @Pankaj_Dhobe ,

In that case I am not sure that the logs you have share are relevant to your problem. I would still suggest to verify your firewall have stable connection to the user-id agent server and DNS resolution is working as expected.

 

Back to your problem

- get one of the IP addresses, that are currently unknown on the firewall

- go to the user-id agent GUI and check its log if it has it in its logs

Astardzhiev_0-1674481184150.png

Go to Monitoring and search for that IP. Do you see it there?

Go to Logs, do you see any "failed" logs? Note logs here will start populate from the moment you navigate to the log tab (you wouldn't see old logs here). If there are any error, you may want to set the log level to debug

Astardzhiev_1-1674481390254.png

 

In additional note:

- Have you noticed any pattern in the unknown and know addresses? Does unknown IP share the same subnet(s)? Do you see successful user-ip-mapping for IP from the same subnet from which you see unknown?

- Is your user-id agent configured with any inclusion/exclusion? User Identification -> Discovery

- Is your firewall zone configured with any inclusion/exclusion? Network -> Zones -> User Identification ACL)

 

 

I just noticed the odd firewall version that your are running. Note that 10.0 is officially out of support, but more importantly 10.0.1 is the very first maintenance release for 10.0, which naturally could be full of bugs.

I don't like start looking for bugs before you have eliminated any other possible reason, but at the same time running such early OS version (when there is so many bug fixes released) is like you want your firewall to crash 🙂

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!