Why does User-ID suddenly stops ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why does User-ID suddenly stops ?

L3 Networker

Hello,

We have a customer who is using PA-3020 in L3 A/P cluster, running PanOS 5.0.2.

We have set up User-ID with PanAgent services (Primary and Secondary) installed on two different servers members of the domain.

User-ID is configured to be based on :

- Security logs

- Sessions

- Probing

On 4 different servers :

- 2 AD servers

- 2 Exchange servers

The User-ID agents and the monitored servers are all well connected, and there is nothing wrong in the system logs regarding User-ID.

Most of the time, all is working fine : users are well identified and thus the proper rules are applied (based on user groups).

However, it seems that sometimes the User-ID just stops, and the users are no more identified. Indeed, we can see in the traffic log monitoring that the Source User field is empty. As a result, the applied rule is not the right one and the URL Filtering profile that is applied is not the expected one.

The customer is obviously complaining about this and I don't really know how to figure out what's wrong with this User-ID...

You can see on the following prinscreen that the Source User field is suddenly empty, and starting this point, the matched rule is of course not the same.

The user-ID agents are connected as you can see

And the monitored servers as well

Finally, the User-ID restarts after just 1 hour

How can I monitor the User-ID and ensure that this won't occur again ?

Or maybe this is a bug ?

Kind Regards,

Laurent

2 REPLIES 2

L7 Applicator

While I don't know exactly why this is happening, there have been a great deal of fixes to various User-ID issues between 5.0.2 and 5.0.9. Some of the changes were indeed regarding ip-to-user mappings not displaying in logs, so it might be worth upgrading to 5.0.9 to see if the issue is resolved before going with a support ticket.

That said, you can also turn on debugging in the user ID process and tail the log. When the mapping starts to show up blank, turn off debugging and parse through the log to see what may be happening.

Turn on the debug:

> debug user-id on debug

Turn off the debug:

> debug user-id on info

Parse through the log (uses standard linux "less" navigation):

> less mp-log useridd.log

That may help explain what is going on when the mapping stops to display.

Hope this helps,

Greg

Hi Greg,

Thanks for these helpful advices.

I will first try the debug procedure you suggested (I only have PaloAlto ACE certification, also I don't know about troubleshooting tips).

Then I will suggest the customer to perform an upgrade to last 5.0.9 release.

Regards,

Laurent

  • 3055 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!