Collector Failed to Accept SSL Connect from Client, Client user-id Log shows SSL Error
Symptom
Resolution
Please refer to the below documnet for configuring Palo Alto Networks Firewall as a Collector to redistribute the user ip mapping to its client
How to configure Palo Alto Networks Firewall as a Collector
If the UID agent is showing as not connected under device user identication tab after doing the correct configurations
Then Check the user id logs
These logs are from the Client firewall
PA-3020-FW-(active)> tail follow yes mp-log useridd.log
2016-03-07 14:18:52.170 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:18:57.235 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(5)
2016-03-07 14:19:02.298 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:19:07.360 -0600 Error: pan_ssl_conn_open(pan_ssl_utils.c:694): Error: Failed to Connect to 10.1.2.1(source: 10.1.1.1), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
2016-03-07 14:19:09.544 -0600 Error: pan_ip_probe_update_result(pan_user_id_win.c:207): failed to remove mapping 10.204.15.13 - unigroupinc\tacc1
2016-0
These logs are from the Collector firewall
PA-500-FW> tail follow yes mp-log useridd.log
Failed to accept ssl connect from 10.1.2.1
2016-03-07 14:30:01.317 -0600 Error: pan_user_id_client_proc(pan_user_id_client.c:2591): pan_user_id_client_accept() failed
2016-03-07 14:30:06.471 -0600 Error: pan_ssl_conn_accept(pan_ssl_utils.c:794): Failed to accept ssl connect from 10.1.2.1
2016-03-07 14:30:06
Agent is saying failed to connect to the collector due to SSL error and collector is saying failed to accept ssl connect
The issue is likely, the udpated Certificate is not present on the firewall casusing the user id communication failure
Solution 1 :
Install any App and Threat version 550 or 550+
If its already there try to reinstall the App and Theat version and if it does not addressed the issue
Solution 2
Restart the the userid daemon which will certainly address the issue
PA-3020-FW-(active)> debug software restart process user-id
Now the User id agent will show as connected and the client will learn the user to ip mapping from the Collector firewall
Run the below command on the client and you will be able to see all the mapping which the collector has redistributed
to the client.
Run the below command on the collector and check the mapping learned via UIA
admin@PA-2> show user ip-user-mapping all
IP Vsys From User
--------- ------ ------ -------------- --------------
192.168.11.1 vsys1 UIA Palotest
Thank You