Windows User-ID Agent Disconnect After Failover

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows User-ID Agent Disconnect After Failover

L0 Member

Hi All,

I have a customer who had an issue with the WMI using agentless User-ID due to Microsoft security update.

We decided to move to Windows User-ID Agent installed on a domain member Windows Server 2016.

PAN OS 10.2.2 and installed agent version 10.2.1-101.

In the Data Redistribution i can see the agent is connected.


Customer found that if failover occurs, the agent is disconnected.

I was able to reproduce this in a lab running the same configuration on VMware.

I tried to upgrade to 10.2.3-hf2 but still the same behavior.


If i run the command "show user user-id-agent config all" on any gateway while secondary is active, i get the following output:
Server error : op command for client useridd timed out as client is not available
When the primary is active, i will get this error only when i run the command on the secondary (passive) gateway. The primary (active) will output the configuration.


If i run the command "show user user-id-agent state all" on the secondary when its passive i get the output:

Cannot get config from agent winsrv_user-id_agent: Error: Failed to connect to
No User-ID Agent agents in vsys vsys1

This makes sense as it is passive and should not be able to connect. But when the secondary is active, i get only:

No User-ID Agent agents in vsys vsys1


Anyone has any idea regarding this behavior?

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!