Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Userid Not detected for some traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Userid Not detected for some traffic

L1 Bithead

We are using 4 User-id Agents and today some users started experiencing problems with certain sites they use.  The same sites for all users.... but not all sites.  We have many ad group based rules and some are still working while others seem to have stopped working.

Looking at the logs I see their userid isn't detected for the blocked traffic but it is for other traffic.  Also different AD groups are used by different users and the common factor seems to be the destination IP rather than the AD group used to access it.

Nothing appears to have changed and the there is only one userid mapped to the IP of the user.  Some users have regained access after logging out and back in... but this has not worked for eveyone.  User-ID agents have all been restarted and don't show any problems as far as I can tell.

I'm at a bit of a loss as to how to troubleshoot this really so any help would be appreciated.

Firewalls are PA-5050's running 5.0.7

1 accepted solution

Accepted Solutions

Thanks for the replies.  We logged a ticket with our support partner and this turns out to be a bug.  #64166

After approximately 388 days of uptime, the firewall lost the IP address to username mappings on the dataplane. This issue has been addressed so that the firewall does not lose IP address to username mappings when it reaches this uptime.

Since the firewalls rolled over to 388 days at the weekend.

The engineer confirmed by running

     show ip-user-mapping all

which returned no results.

     show ip-user-mapping-mp all

was populated. 

The engineer also advised that this issue is only fixed in 6.0.4 and the workaround is a hard reboot.

View solution in original post

3 REPLIES 3

L4 Transporter

Hello Cdp181,

If logs show no up with no 'user-mapping' for the denied traffic, it could mainly be because of

i) no ip-user mapping for that ip/user        : check CLI command >show user ip-user-mapping all

ii) no group mapping                                 : check > show user group list

iii) the user is not identified part of that group      :check  > show user group name "cn=xxxxxx -name of group"

                                                                                          - it will show the way the user id is expecting its users ie domain\username. Make sure it matches with user-ip mapping shown in output i)

iv) security rule has group in its source user part with a 'single user icon(means a user)' rather than 'double user icon(means a group)'     :In this condition, most likely the group is not identified properly, you can try deleting and adding the groups/users again.

v) Make sure that the source zone has user-identification enabled

Let us know how it works.

Regards,

Dileep

L6 Presenter

Hi CDP,

Its difficult to answer this question in one post, however I will try my best.

First thing is firewall is on 5.0.7 which is atleast one year old release, I would suggest to upgrade to 5.0.13 for future issues. Potentially firewall is effected with one of user-id bug.

In this type of situation its either user-ip mapping issue or group mapping issue. Bottom line is its not a policy or particular destination issue.

Lets say if user x is having issue, could you please provide me output for

show user ip-user-mapping ip <x>

This will help us to determine potential user-ip or group mapping issue.

Regards,

Hardik Shah

Thanks for the replies.  We logged a ticket with our support partner and this turns out to be a bug.  #64166

After approximately 388 days of uptime, the firewall lost the IP address to username mappings on the dataplane. This issue has been addressed so that the firewall does not lose IP address to username mappings when it reaches this uptime.

Since the firewalls rolled over to 388 days at the weekend.

The engineer confirmed by running

     show ip-user-mapping all

which returned no results.

     show ip-user-mapping-mp all

was populated. 

The engineer also advised that this issue is only fixed in 6.0.4 and the workaround is a hard reboot.

  • 1 accepted solution
  • 4952 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!