I've seeing the following error in our user id agent logs (3.1 agent).
2012 03 21 11:13:33, Number of pending entries(4540) exceeds max. allowed(1000)
Anyone know about this max limit? Can it be modified? Do failed polls just accumulate indefinetely? Will extending polling windows alleviate this or adding additional user id agents?
1000 seems sort of low, especially since the WMI polling window can be changed.
From what I've found searching on that error, it looks like this happens if there are too many unknown IPs that are sent to the pan-agent from the Palo Alto Device.
"Pan-agent can only keep 1000 unknown IPs in the queue. For each unknown IP, pan-agent needs to use NetBios/WMI to query the IP if NetBios/WMI is configured. So, since the max amount of unknown ips that the pan agent will keep is 1000, if the incoming unknown IP exceeds that rate, those new unknown IPs will be dropped and you will see this log. "
Ideally, you would rather fix the unknowns by creating exclude lists on the agent where it's not trying to map every single IP or network if possible. If this isn't possible, we still need to try and fix the root of the issue which is all the unknowns.
> show user ip-user-mapping type UNKNOWN
This should show you all of the unknown users on the Firewall. Note, it may be different than the agent.
If you're unable to figure out why the users are unknown and not getting mapped, you can respond here, but you may need to get a case opened with us to investigate.
I think the statement of ".... those new unknown ips will be dropped" is incorrect. I've restarted the user id agent service and the number being reported ramps up from 1001 to (currently) over 5000. I think the ones it can't get to are just re-added to the queue.
I typed in the CLI command to see unknown users on the firewall and it came back with zero.
Questions: How does this list of unknown user to ips work with the known users to ips that are polled every wmi probe time (60 min for us)? Is it the same queue? Will shortening or lengthing the wmi probing window make it better or worse?
I know that unknown user to ip traffic is sent from the PAN to the user id agent for immediate polling to id them. Is this added to the known user to ips that are normally polled at WMI time intervals (documentation indicates as such)? If that is the case, then each user id agent can handle no more than 1000 individual IPs - otherwise it would automatically be over 1000 each poll period.
The example cited in the document (User-ID Best Practices PAN-OS 4.1) of 6000 computers being polled at 10 minute intervals would automatically exceed the max queue length since ALL of the 6000 ips would be queued at once to poll every 10 minutes. Or is there some sort of interval within those 10 minutes to split the ips up? Or are unknown users for ips placed in a different queue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!