Email Alerts Sent From Deleted User-ID Agent

Email Alerts Sent From Deleted User-ID Agent

16343
Created On 09/26/18 13:52 PM - Last Modified 06/13/23 04:32 AM


Resolution


Issue

Email alerts are being sent from a deleted User-ID Agent.

The following is a sample email alert:

domain: 1

receive_time: 2014/01/11 17:05:39

serial: XXXXXXXXXXXX

seqno: 436039

actionflags: 0x0

type: SYSTEM

subtype: userid

config_ver: 0

time_generated: 2014/01/11 17:05:39

vsys:

eventid: connect-agent-failure

object:

fmt: 0

id: 0

module: general

severity: high

opaque: User-ID-Agent UID Agent on SERVER1(vsys1): Error: Failed to connect to User-ID-Agent at server1.example.local(192.168.1.16):5007

Resolution

The issue can occur is the User-ID Agent process is using a cached configuration.

Follow the steps below to resolve the issue:

  1. Re-configure the same userid-agent at Device > User Identification > User-ID Agents
  2. Enable and commit
    1. Go to Device > User Identification > User-ID Agents
    2. Choose the agent, then enable it
    3. commit
  3. Check if the system email alerts have stopped
  4. Disable the User-ID Agent and commit
    1. Go to Device > User Identification > User-ID Agents
    2. Choose the agent, then disable it
    3. Commit
  5. Check for system email alerts
  6. Delete the User-ID Agent from the Palo Alto Networks firewall configuration (if needed).
    1. Go to Device > User Identification > User-ID Agents
    2. Delete the agent
    3. Commit

owner: jlunario
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClwGCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language