Useridd : log query for <server> failed: NTSTATUS: NT code 0xc002001b
10296
Created On 02/09/21 17:28 PM - Last Modified 02/11/23 01:06 AM
Symptom
- firewall with agentless userid is unable to learn IP user mappings from monitored servers
- useridd.log contains the following messages:
2021-01-16 00:31:06.253 -0500 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1439): log query for <server name> failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b
- Monitor tab > System log in Web GUI shows server monitor shows "Connection timeout", "Connection refused"
2020/12/27 10:48:33 high userid connect 0 User-ID server monitor <server name> Connection refused 2020/12/27 10:48:00 high userid connect 0 User-ID server monitor <server name> Connection timeout 2020/12/27 10:45:32 high userid connect 0 User-ID server monitor <server name> Host unreachable 2020/12/27 10:43:29 high userid connect 0 User-ID server monitor <server name> Connection refused
Environment
- PAN-OS
- Agentless UserID
Cause
- the issue can be caused by not having an NTP time source configured on the firewall, or if the NTP time is too far out of sync with the monitored servers
- querying monitored AD servers for security logs is timestamp based and is time sensitive
Resolution
- Configure an NTP server on the firewall
- Configure an NTP server on the monitored AD server
- in some cases the NTP server may need to be changed to another server with a higher quality time source or closer (less delay) to the firewall
Additional Information
- Microsoft Article explaining error codes
- 2.3.1 NTSTATUS Values
- 0xC002001B is "RPC (remote procedure call) failed"