Collector Failed to Accept SSL Connect from Client, Client user-id Log shows SSL Error

Collector Failed to Accept SSL Connect from Client, Client user-id Log shows SSL Error

59349
Created On 09/25/18 19:49 PM - Last Modified 06/10/23 00:54 AM


Symptom


Symptoms

Configured one Palo Alto Networks Firewall as a collector and the other as a client but user id agent is not showing as  connected on Client firewall

1.PNG

 Confirmed configurations were correct but the expired ssl certificate may cause user id communication failure 

Diagnosis

The ssl certificate present of the firewall got expired which may cause user id communication failure

during transfer of user ip mapping from one firewall to another 

Resolution


Please refer to the below documnet for configuring  Palo Alto Networks Firewall as a Collector to redistribute the user ip mapping to its client

 

How to configure Palo Alto Networks Firewall as a Collector

 

If the UID agent is showing as not connected under device user identication tab after doing the correct configurations 

 

1.PNG 

 

Then Check the user id logs 

 

These logs are from the Client firewall


PA-3020-FW-(active)> tail follow yes mp-log useridd.log
2016-03-07 14:18:52.170 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:18:57.235 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(5)
2016-03-07 14:19:02.298 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:19:07.360 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:19:09.544 -0600 Error: pan_ip_probe_update_result(pan_user_id_win.c:207): failed to remove mapping 10.204.15.13 - unigroupinc\tacc1
2016-0

 

These logs are from the Collector firewall 

 

PA-500-FW> tail follow yes mp-log useridd.log
Failed to accept ssl connect from 10.1.2.1
2016-03-07 14:30:01.317 -0600 Error: pan_user_id_client_proc(pan_user_id_client.c:2591): pan_user_id_client_accept() failed
2016-03-07 14:30:06.471 -0600 Error: pan_ssl_conn_accept(pan_ssl_utils.c:794): Failed to accept ssl connect from 10.1.2.1
2016-03-07 14:30:06

 

Agent is saying failed to connect to the collector due to SSL error and collector is saying failed to accept ssl connect 

 

The issue is likely, the udpated Certificate is not present on the firewall casusing the user id communication failure 

Solution 1 :

 

Install any App and Threat version 550 or 550+

 

If its already there try to reinstall the App and Theat version and if it does not addressed the issue

 

Solution  2

 

Restart the the userid daemon which will certainly address the issue

 

PA-3020-FW-(active)> debug software restart process user-id

 

Now the User id agent will show as connected and the client will learn the user to ip mapping from the Collector firewall

 

Run the below command on the client and you will be able to see all the mapping which the collector has redistributed

 to the client.

 

Run the below command on the collector and check the mapping learned via UIA

 

admin@PA-2> show user ip-user-mapping all

IP                    Vsys  From       User           

--------- ------ ------ -------------- -------------- 

192.168.11.1   vsys1  UIA    Palotest              

 

Thank You

 

 

 

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleaCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language