How to troubleshoot connection failure to User-ID agent

• Palo Alto Firewall
• User-ID Agent
• PAN-OS 10.0 and above

1. Determine which User-ID agent is disconnected:
   1. For User-ID agent of protocol Version 5 (Windows User-ID agent or firewall running 9.1 or earlier) use CLI

      show user user-id-agent statistics

   2. For other User-ID agent protocol Version 6 (Firewall running 10.0 or later) the CLI is:

      show redistribution agent statistics

2. Check further details with regard to the disconnected User-ID agent:
   1. For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI

      show user user-id-agent state <user-id-agent name>
      

   2. For User-ID agent Version 6 (Firewall running 10.0 or later) the CLI is: 

      show redistribution agent state <user-id-agent name>

3. Check the service route from the firewall to the User-ID agent: Device > Setup > Services > Service Route Configuration > UID Agent
4. For Management (aka Default ) UID Agent service route under Device > Setup > Interface > Management > Network Services, if permitted IP addresses is configured, check that the User-ID agent addresses is included in that list and if you want your firewall to act as a user-id agent for other firewalls check that User-ID check box is selected. Similar checks can be done under Network > Network Profiles > interface Mgmt for dataplane UID agent service route.
5. Check the logs under Monitor > System using filter ( subtype eq userid ) also use CLI:

   show log system direction equal backward subtype equal userid
   

   example of an output (while omitting the time of the event) from above command

   Severity Subtype Object EventID ID Description
   ============================================================
   high userid connect 0 Redistribution Agent My-UIA(vsys1):details:close connection to agent

6. Check logs from CLI:
   1. For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI

      less mp-log useridd.log

   2. For User-ID agent Version 6 (Firewall running 10.0 or later) running 10.0 or later, use CLI

      less mp-log distributord.log

7. Check reachability from firewall to User-ID agent:
   1. For User-ID agent connection via firewall management use CLI

      ping host <IP address of the User-ID Agent>

   2. For User-ID agent connection via Firewall dataplane use CLI 

      ping source <IP address of the dataplane interface> host <IP address of User-ID Agent>

8. Check the TCP handshake between Firewall and the User-ID agent:
   1. From the Firewall side:

      show netstat numeric-hosts yes numeric-ports yes | match <IP address of the User-ID agent>

   2. From the Windows server side:

      netstat -na | findstr 5007
      netstat -na | findstr <IP address of the ethernet interface connected to the firewall>

9. Check the SSL handshake between Firewall and User-ID agent:
   1. For User-ID agent connection via firewall management use CLI

      tcpdump filter host <IP address of the User-ID Agent> snaplen 0
      view-pcap mgmt-pcap mgmt.pcap
      

   2. For User-ID agent connection via Firewall dataplane use CLI, set a packet capture on the firewall Getting Started: Packet Capture.

• This article can also be used to troubleshoot connection failure to Data Redistribution agent.
• This article assumes that configuration has been checked on the client Firewall and the user-id agent (windows user-id agent or firewall acting as a user-id agent aka data redistribution agent)

Configure the Windows User-ID Agent for User Mapping
Device > User Identification > Connection Security
Configure Data Redistribution