The User-ID agent status on the Palo Alto Networks firewall shows as 'not-conn.'
admin@PA> show user user-id-agent state all
Agent: Agent1(vsys: vsys1) Host: 10.129.80.47:5007
Status : not-conn:idle
Version : 0x0
num of connection tried : 13
num of connection succeeded : 0
.....
From the GUI, the status looks like this:
The 'non-conn' (non-connected) status can be due to various reasons. Be sure to check the following:
A high-availability device, where the active device connects only to the User ID agent, and passive firewall always show as Not Connected.
User ID agent is properly installed on the machine/server and that the host is listening on port 5007: User-ID Agent Setup Tips
The firewall has proper reachability from the service route to the User-ID agent, and the port is not blocked anywhere in between.
If using a User-ID collector, make sure the redistribution firewall is configured properly, and is reachable from the firewall. Also be sure the services and policies are properly allowed on the Redistribution firewall. Configure a Firewall to Share User Mapping Data with Other Firewalls
Since the connection between the firewall and the redistribution firewall uses SSL, make sure the SSL certificate used by the firewall is not expired. Capture the handshake on the management port or the dataplane port (if service route is used) and expand the client certificate packet to find the validity. How To Packet Capture (tcpdump) On Management Interface
Check the User-ID logs on the firewall to see if any errors are showing up:
admin@PA> tail follow yes mp-log useridd.log
..Error: __pan_print_msg(pan_sys.c:963): Failed to connect to 10.129.80.47(10.129.80.47):5007
..Error: __pan_print_msg(pan_sys.c:963): Failed to connectto 10.129.80.47(5007): Internal Error
..Error: pan_ssl_conn_open(pan_ssl_utils.c:383):pan_tcp_sock_open() failed