How to troubleshoot connection failure to User-ID agent
40680
Created On 08/10/22 18:51 PM - Last Modified 02/09/24 21:39 PM
Objective
Troubleshooting connection failure between firewall and User-ID agent on PAN-OS 10.0 and above.
Environment
- Palo Alto Firewall
- User-ID Agent
- PAN-OS 10.0 and above
Procedure
- Determine which User-ID agent is disconnected:
- For User-ID agent of protocol Version 5 (Windows User-ID agent or firewall running 9.1 or earlier) use CLI
show user user-id-agent statistics
- For other User-ID agent protocol Version 6 (Firewall running 10.0 or later) the CLI is:
show redistribution agent statistics
- For User-ID agent of protocol Version 5 (Windows User-ID agent or firewall running 9.1 or earlier) use CLI
Use UI Device > Data Redistribution > Agents and check the Connected column.
- Check further details with regard to the disconnected User-ID agent:
- For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI
show user user-id-agent state <user-id-agent name>
- For User-ID agent Version 6 (Firewall running 10.0 or later) the CLI is:
show redistribution agent state <user-id-agent name>
- For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI
- Check the service route from the firewall to the User-ID agent: Device > Setup > Services > Service Route Configuration > UID Agent
- For Management (aka Default ) UID Agent service route under Device > Setup > Interface > Management > Network Services, if permitted IP addresses is configured, check that the User-ID agent addresses is included in that list and if you want your firewall to act as a user-id agent for other firewalls check that User-ID check box is selected. Similar checks can be done under Network > Network Profiles > interface Mgmt for dataplane UID agent service route.
- Check the logs under Monitor > System using filter ( subtype eq userid ) also use CLI:
show log system direction equal backward subtype equal userid
example of an output (while omitting the time of the event) from above commandSeverity Subtype Object EventID ID Description ============================================================ high userid connect 0 Redistribution Agent My-UIA(vsys1):details:close connection to agent
- Check logs from CLI:
- For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI
less mp-log useridd.log
- For User-ID agent Version 6 (Firewall running 10.0 or later) running 10.0 or later, use CLI
less mp-log distributord.log
- For User-ID agent Version 5 (Windows User-ID agent or firewall running 9.1 or earlier), use CLI
- Check reachability from firewall to User-ID agent:
- For User-ID agent connection via firewall management use CLI
ping host <IP address of the User-ID Agent>
- For User-ID agent connection via Firewall dataplane use CLI
ping source <IP address of the dataplane interface> host <IP address of User-ID Agent>
- For User-ID agent connection via firewall management use CLI
- Check the TCP handshake between Firewall and the User-ID agent:
- From the Firewall side:
show netstat numeric-hosts yes numeric-ports yes | match <IP address of the User-ID agent>
- From the Windows server side:
netstat -na | findstr 5007 netstat -na | findstr <IP address of the ethernet interface connected to the firewall>
- From the Firewall side:
Check if the windows server is listening on port 5007.
- Check the SSL handshake between Firewall and User-ID agent:
- For User-ID agent connection via firewall management use CLI
tcpdump filter host <IP address of the User-ID Agent> snaplen 0 view-pcap mgmt-pcap mgmt.pcap
- For User-ID agent connection via Firewall dataplane use CLI, set a packet capture on the firewall Getting Started: Packet Capture.
- For User-ID agent connection via firewall management use CLI
Additional Information
- This article can also be used to troubleshoot connection failure to Data Redistribution agent.
- This article assumes that configuration has been checked on the client Firewall and the user-id agent (windows user-id agent or firewall acting as a user-id agent aka data redistribution agent)
Configure the Windows User-ID Agent for User Mapping
Device > User Identification > Connection Security
Configure Data Redistribution