About kenvizena

Can you provide more information?  What version of PanOS? Are you using samaccountname and userprincipalname?    Do you have the user-id agent parsing every single sec-event-log on every DC? Do you have "enable user-id" on for every internal zone?  Do you use Terminal Services? If so do you have that agent in that environment as well?  Are you using the same SPG for all rules or do you have multiple SPG's? Depending on your environment you can have one source subnet hitting a different policy /w a different SPG and URL filter if configured.    I have seen issues where a person is using a cached authentication in Windows when not connected to work via VPN and then attempts access which fails with the same type of error.     For testing I would use sites that are not super-trackers to see if the issue is as simple as all internal zones having user-id enabled. I would also check to see when it fails from the command line what it shows.    > show user ip-user-mapping all | match ken   IP VSYS Source user idletimeout maxtimeout 10.10.10.10 vsys1 UIA ken 2715 2715   Can the firewall get the updated ldap group membership?   > show user group list cn=blah.blah.f00   > show user group name cn=blah.blah.f00   >show user group-mapping state f00 Servers : configured 2 servers Last Action Time: 336 secs ago(took 12 secs) Next Action Time: In 3264 secs ... View more