SSL Connection Fails Between User-ID Agent and the Palo Alto Networks Firewall

SSL Connection Fails Between User-ID Agent and the Palo Alto Networks Firewall

66362
Created On 09/25/18 19:43 PM - Last Modified 06/06/23 19:51 PM


Resolution


Issue

User-ID agent is unable to send User-to-IP mappings to the firewall even though it's connected to the firewall.

 

Symptoms

  • Connection between agent and firewall is working properly

> show user user-id-agent statistics

Name            Host            Port  Vsys    State            Ver Usage

---------------------------------------------------------------------------

userid          172.17.132.52  25555 vsys1  conn:idle        5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

 

  • Counters for IP mapping messages sent and received remain at zero

> show user user-id-agent state all

Agent: userid(vsys: vsys1) Host: 172.17.132.52(172.17.132.52):25555

        Status                                            : conn:idle(Connected to 172.17.132.52(source: 255.255.255.255))

        Version                                          : 0x5

        num of connection tried                          : 36

        num of connection succeeded                      : 4

        num of connection failed                          : 32

        num of status msgs rcvd                          : 50495

        num of request of status msgs sent                : 50495

        num of request of ip mapping msgs sent            : 0

        num of request of new ip mapping msgs sent        : 0

        num of request of all ip mapping msgs sent        : 0

        num of user ip mapping msgs rcvd                  : 0

        num of ip msgs rcvd but failed to proc            : 0

        num of user ip mapping add entries rcvd          : 33

        num of user ip mapping del entries rcvd          : 16

        num of request of group msgs sent                : 0

        num of group msgs rcvd                            : 0

        num of group msgs recvd buf fail to proc          : 0

        Last heard(seconds ago)                          : 1

 

  • User-ID logs indicate SSL problems with the connection (Connection between agent and firewall is always encrypted in an SSL tunn

> less mp-log useridd.log

Jun 22 13:52:21 Error: pan_ssl_readn_nowait(pan_ssl_utils.c:536): SSL :error:00000000:lib(0):func(0):reason(0)

Jun 22 13:52:21 Error: pan_user_id_msg_readin(pan_user_id_msg.c:961): pan_user_id_ssl_readn_nowait() failed.

Jun 22 13:52:21 Error: pan_user_id_agent_msgs_recv(pan_user_id_agent_msgs.c:180): pan_user_id_msg_readin() failed: ERR_SOCKET_FAIL

Jun 22 13:52:21 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:1347): pan_user_id_agent_msgs_recv() failed

Jun 22 13:52:21 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:452): pan_user_id_agent_send_and_recv_msgs() failed for AD01(4)

 

Resolution

  • Reset the connection between the User ID agent and the firewall

> debug user-id reset user-id-agent <userid/ all>

  • Restart the userid daemon itself

> debug software restart user-id

 

owner: kadak
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbiCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language