- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2014 02:26 AM
Hi, im having problem accesing to my PA (i think because of UserID). If i try with local user its ok but with my LDAP user is not working. The users cant access via VPN neither.
I can see a lot of events about "connect-agent" and suddenly "disconnect-agent".........¿¿why this strange behaviour?
Nov 11 10:57:48 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:48 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:49 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:49 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:49 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:49 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Error: pan_comm_get_tcp_conn(comm_utils.c:565): COMM: cannot connect. remote ip=127.0.0.1 port=10000 err=Connection refused(146) sock=14
Nov 11 10:57:50 Error: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:127): pan_comm_get_tcp_conn(localhost, 10000) failed
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:50 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:52 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Error: pan_comm_get_tcp_conn(comm_utils.c:565): COMM: cannot connect. remote ip=127.0.0.1 port=10000 err=Connection refused(146) sock=14
Nov 11 10:57:55 Error: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:127): pan_comm_get_tcp_conn(localhost, 10000) failed
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:55 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:56 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:57 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:57:59 Warning: pan_to_ms_conn_tcp_channel_setup(pan_to_ms_conn.c:119): Too close to last failed connection
Nov 11 10:58:01 connection to MS setup
Nov 11 10:58:34 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:563): hasn't heard from Servidor wn12(1) for 63 seconds
Nov 11 10:59:40 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:563): hasn't heard from Servidor wn12(1) for 61 seconds
11-11-2014 02:31 AM
I add this new log
Nov 11 11:14:20 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:563): hasn't heard from Servidor wn12(1) for 61 seconds
Nov 11 11:15:26 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:563): hasn't heard from Servidor wn12(1) for 61 seconds
Nov 11 11:15:36 Error: pan_ssl_readn_nowait(pan_ssl_utils.c:758): SSL :error:00000000:lib(0):func(0):reason(0)
Nov 11 11:15:36 Error: pan_user_id_msg_readin(pan_user_id_msg.c:1080): pan_user_id_ssl_readn_nowait() failed.
Nov 11 11:15:36 Error: pan_user_id_agent_msgs_recv(pan_user_id_agent_msgs.c:273): pan_user_id_msg_readin() failed: ERR_SOCKET_FAIL
Nov 11 11:15:36 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:1665): pan_user_id_agent_msgs_recv() failed
Nov 11 11:15:36 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:568): pan_user_id_agent_send_and_recv_msgs() failed for Servidor wn12(1)
Nov 11 11:16:16 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:1665): pan_user_id_agent_msgs_recv() failed
Nov 11 11:16:16 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:568): pan_user_id_agent_send_and_recv_msgs() failed for UID New(1)
Nov 11 11:21:27 connecting to ldap://[10.1.1.249]:636 with StartTLS...
Nov 11 11:21:27 Error: pan_ldap_init_ex(pan_ldap.c:325): start_tls_s return(-1) : Can't contact LDAP server
Nov 11 11:21:27 connecting to ldaps://[10.1.1.249]:636 ...
Nov 11 11:21:27 ldap cfg UIA connected to 10.1.1.249:636(index 1)
Nov 11 11:22:08 Warning: pan_ldap_get_search_result(pan_ldap.c:565): Timeout exceeded in ldap_result(30)
11-11-2014 03:26 AM
can you check if group mapping is working to be sure Ldap is Ok.
11-11-2014 03:48 AM
admin@fw1orgt(active)> show user user-id-agent state all
Agent: Servidor wn12(vsys: vsys1) Host: 10.1.1.249(10.1.1.249):4444
Status : conn:idle
Version : 0x5
num of connection tried : 6547
num of connection succeeded : 6533
num of connection failed : 14
num of status msgs rcvd : 174769
num of request of status msgs sent : 251164
num of request of ip mapping msgs sent : 124366
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 6618
num of user ip mapping msgs rcvd : 413334
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 3879296
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
Last heard(seconds ago) : 0
Messages State:
Job ID : 0
Sent messages : 630481
Rcvd messages : 1042673
Lost messages : 63
Failed to send messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
Agent: UID(vsys: vsys1) Host: 10.1.1.16(10.1.1.16):4444
Status : conn:idle
Version : 0x5
num of connection tried : 11115
num of connection succeeded : 11095
num of connection failed : 20
num of status msgs rcvd : 245573
num of request of status msgs sent : 255851
num of request of ip mapping msgs sent : 129492
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 1228
num of user ip mapping msgs rcvd : 540425
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 3723839
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
Last heard(seconds ago) : 0
Messages State:
Job ID : 0
Sent messages : 629466
Rcvd messages : 882366
Lost messages : 45
Failed to send messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
Agent: UID New(vsys: vsys1) Host: 10.1.1.18(10.1.1.18):4444
Status : conn:idle
Version : 0x5
num of connection tried : 1130
num of connection succeeded : 1127
num of connection failed : 3
num of status msgs rcvd : 243407
num of request of status msgs sent : 255701
num of request of ip mapping msgs sent : 129321
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 1392
num of user ip mapping msgs rcvd : 545414
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 3737418
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
Last heard(seconds ago) : 0
Messages State:
Job ID : 0
Sent messages : 629472
Rcvd messages : 1232203
Lost messages : 102
Failed to send messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin@fw1orgt(active)> show user user-id-service status
User ID service info:
User id service: down
Reason: user_id service is not enabled
admin@fw1orgt(active)>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin@fw1orgt(active)> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): UIA
Bind DN : cn=explotacio,ou=Noestaard,ou=OTusrs,dc=orgt,dc=ad,dc=da,dc=es
Base : DC=orgt,DC=ad,DC=diba,DC=es
Group Filter: (None)
User Filter: (None)
Servers : configured 3 servers
10.1.1.8(636)
10.1.1.249(636)
Last Action Time: 1466 secs ago(took 31 secs)
Next Action Time: In 2134 secs
10.1.1.16(636)
Number of Groups: 615
cn=rrhh,ou=orgtgroups,dc=orgt,dc=ad,dc=diba,dc=es
cn=orgt.grars,ou=bus,ou=oau=distribution lists,dc=orgt,dc=ad,dc=da,dc=es
-----------------------------------------------------------------------------------------
cn=aplicextern,ou=users,ou=orgtcitrix,dc=orgt,dc=ad,dc=diba,dc=es
cn=244_castelldefels_sg,ou=orgtgroups,dc=orgt,dc=ad,dc=diba,dc=es
cn=domain admins,cn=users,dc=orgt,dc=ad,dc=diba,dc=es
cn=orgt.elprat.fax,ou=busties,ou=oalgt,ou=distribution lists,dc=orgt,dc=ad,dc=diba,dc=es
11-11-2014 03:54 AM
The connection between Palo Alto and the 3 UserID is ok but i think there is any problem with PA and DC.....
11-11-2014 04:47 AM
The problem is solved. Another Palo ALto mistery :S
the PA had configured 4 servers in LDAP profile. One of those it wasnt LDAP 2 months ago so for this we had problem communications. We have delete this server in the LDAP profile and restart all the UserID Agent and now its working.
Anyway, we have configured 3 more servers in LDAP profile, so i think this shouldnt happen because el PA would use anothe LDAP server, right????
11-11-2014 04:47 AM
Hello COS,
It seems, above mentioned symptoms are matched with KB DOC: SSL connection failing between User-Id agent and PAN
Could you please try below CLI commands and let me know the result:
Reset the connection between the User ID agent and the firewall
> debug user-id reset user-id-agent <userid/ all>
Restart the userid daemon
> debug software restart user-id
Hope this helps.
Thanks
11-11-2014 04:52 AM
you can use 4 DC here for redundancy.
one of the DC you used now seems working
11-12-2014 12:13 AM
Hello
You didn't tell us PAN os version. On 6.0.5 and 6.0.6 is a problem with userid - I have a supprt case, but my problems care different (after restart my device has a problem with communication to Radius server).
Problem is fixed od 6.0.7 and 6.1.0.
Regards
Slawek
11-12-2014 08:24 AM
Please ask support is this PAN is affected by this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!