10-21-2014 04:25 AM
We are using 4 User-id Agents and today some users started experiencing problems with certain sites they use. The same sites for all users.... but not all sites. We have many ad group based rules and some are still working while others seem to have stopped working.
Looking at the logs I see their userid isn't detected for the blocked traffic but it is for other traffic. Also different AD groups are used by different users and the common factor seems to be the destination IP rather than the AD group used to access it.
Nothing appears to have changed and the there is only one userid mapped to the IP of the user. Some users have regained access after logging out and back in... but this has not worked for eveyone. User-ID agents have all been restarted and don't show any problems as far as I can tell.
I'm at a bit of a loss as to how to troubleshoot this really so any help would be appreciated.
Firewalls are PA-5050's running 5.0.7
10-22-2014 03:55 AM
Thanks for the replies. We logged a ticket with our support partner and this turns out to be a bug. #64166
After approximately 388 days of uptime, the firewall lost the IP address to username mappings on the dataplane. This issue has been addressed so that the firewall does not lose IP address to username mappings when it reaches this uptime.
Since the firewalls rolled over to 388 days at the weekend.
The engineer confirmed by running
show ip-user-mapping all
which returned no results.
show ip-user-mapping-mp all
was populated.
The engineer also advised that this issue is only fixed in 6.0.4 and the workaround is a hard reboot.
10-21-2014 06:41 AM
Hello Cdp181,
If logs show no up with no 'user-mapping' for the denied traffic, it could mainly be because of
i) no ip-user mapping for that ip/user : check CLI command >show user ip-user-mapping all
ii) no group mapping : check > show user group list
iii) the user is not identified part of that group :check > show user group name "cn=xxxxxx -name of group"
- it will show the way the user id is expecting its users ie domain\username. Make sure it matches with user-ip mapping shown in output i)
iv) security rule has group in its source user part with a 'single user icon(means a user)' rather than 'double user icon(means a group)' :In this condition, most likely the group is not identified properly, you can try deleting and adding the groups/users again.
v) Make sure that the source zone has user-identification enabled
Let us know how it works.
Regards,
Dileep
10-21-2014 06:41 AM
Hi CDP,
Its difficult to answer this question in one post, however I will try my best.
First thing is firewall is on 5.0.7 which is atleast one year old release, I would suggest to upgrade to 5.0.13 for future issues. Potentially firewall is effected with one of user-id bug.
In this type of situation its either user-ip mapping issue or group mapping issue. Bottom line is its not a policy or particular destination issue.
Lets say if user x is having issue, could you please provide me output for
show user ip-user-mapping ip <x>
This will help us to determine potential user-ip or group mapping issue.
Regards,
Hardik Shah
10-22-2014 03:55 AM
Thanks for the replies. We logged a ticket with our support partner and this turns out to be a bug. #64166
After approximately 388 days of uptime, the firewall lost the IP address to username mappings on the dataplane. This issue has been addressed so that the firewall does not lose IP address to username mappings when it reaches this uptime.
Since the firewalls rolled over to 388 days at the weekend.
The engineer confirmed by running
show ip-user-mapping all
which returned no results.
show ip-user-mapping-mp all
was populated.
The engineer also advised that this issue is only fixed in 6.0.4 and the workaround is a hard reboot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
