Issue
User-ID agent is unable to send User-to-IP mappings to the firewall even though it's connected to the firewall.
Symptoms
- Connection between agent and firewall is working properly
> show user user-id-agent statistics
Name Host Port Vsys State Ver Usage
---------------------------------------------------------------------------
userid 172.17.132.52 25555 vsys1 conn:idle 5
Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used
- Counters for IP mapping messages sent and received remain at zero
> show user user-id-agent state all
Agent: userid(vsys: vsys1) Host: 172.17.132.52(172.17.132.52):25555
Status : conn:idle(Connected to 172.17.132.52(source: 255.255.255.255))
Version : 0x5
num of connection tried : 36
num of connection succeeded : 4
num of connection failed : 32
num of status msgs rcvd : 50495
num of request of status msgs sent : 50495
num of request of ip mapping msgs sent : 0
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 0
num of user ip mapping msgs rcvd : 0
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 33
num of user ip mapping del entries rcvd : 16
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
Last heard(seconds ago) : 1
- User-ID logs indicate SSL problems with the connection (Connection between agent and firewall is always encrypted in an SSL tunn
> less mp-log useridd.log
Jun 22 13:52:21 Error: pan_ssl_readn_nowait(pan_ssl_utils.c:536): SSL :error:00000000:lib(0):func(0):reason(0)
Jun 22 13:52:21 Error: pan_user_id_msg_readin(pan_user_id_msg.c:961): pan_user_id_ssl_readn_nowait() failed.
Jun 22 13:52:21 Error: pan_user_id_agent_msgs_recv(pan_user_id_agent_msgs.c:180): pan_user_id_msg_readin() failed: ERR_SOCKET_FAIL
Jun 22 13:52:21 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:1347): pan_user_id_agent_msgs_recv() failed
Jun 22 13:52:21 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:452): pan_user_id_agent_send_and_recv_msgs() failed for AD01(4)
Resolution
- Reset the connection between the User ID agent and the firewall
> debug user-id reset user-id-agent <userid/ all>
- Restart the userid daemon itself
> debug software restart user-id
owner: kadak