Troubleshooting User-ID cache timeout
26375
Created On 03/23/21 14:00 PM - Last Modified 06/12/23 13:58 PM
Symptom
Users have connectivity issues due to no longer matching security policies which are configured for specific user accounts. The traffic logs show the traffic was matching the correct policies at first and user info was being populated, however after some time the traffic started to hit wrong policies and no user info was populated.
Cause
This is likely due to the User-ID cache timeout, which is reaching the timeout value before a new IP to User Mapping is generated. This would cause that particular users to no longer have an IP to User Mapping on the firewall.
Resolution
When an IP to User Mapping is been generated, it comes with a timeout value, which is visible under Monitor Tab -> Logs -> User ID on the webUI.
This timeout dictates how long the mapping will be stored in cache until it is removed. In addition it is refreshed if a new User-ID event processed. You can view the current TTL of IP to User mapping entries by using these CLI commands:
show user ip-user-mapping all show user ip-user-mapping ip <ip>
Please find below some sample outputs:
To trace the issue down to the cache timer:
1. Two logs need to be filtered by the user's source IP:
- Monitor Tab > Logs > Traffic
- Monitor Tab > Logs > User ID
3. Note the time the log was generated, and then move onto the User ID logs.
- Find the last entry before issue occurred for that user's IP address
- Note the time of that entry and add the timeout for that entry to it.
For example:
- In the traffic log, the first entry to have a blank Source User was 03/23 06:37:19.
- In the User ID log, you see an entry at 03/23 06:32:18 with a timeout of 300 (5 minutes).
In conclusion:
The cause of the issue in this case is that events which generate an IP to User Mapping happen less frequently than the cache timeout.