User-to-IP Mapping learned from Panorama disappears from the firewall

• Panorama is configured as a Redistribution Agent, while the firewall is set up as a Redistribution Client.
• After a few hours, the user-to-IP mappings disappear from the firewall.
• The mappings can be temporarily restored by restarting the distributord process on the firewall.
• The following messages appear when enabling debug level logging on the distributord on the firewall.

> less mp-log distributord.log
....
-0500 [CONNMGR] handle message from conn mgr for panorama with len 17
-0500 [CONNMGR][HNDLMSG] Received message from Agent
-0500 [CMS_AGENT][RECVMSG] Found agent panorama, queueing message
-0500 [CMS_MSGS] Added msg to RECV list
-0500 [CMS_AGENT][FETCHMSG] agent UID-Panorama add a new msg(len 16) into circbuf
-0500 Assembling buff: buff_len = 16, buff_offset = 16, receive_left = 0, payload_len = 0, buff=0x556ccc0482f0, header=(nil), payload=(nil)
-0500 Assembling buff: buff_len = 16, buff_offset = 0, receive_left = 16, payload_len = 0, buff=0x556ccc047490, header=0x556ccc047490, payload=(nil)
-0500 proto header: proto_name: 0x50414e0, version=6, type=65, flag=3, vsys=1,len=0
-0500 debug: pan_distributor_agent_consume_msg(pan_distributor_agent.c:2959): [agent UID-Panorama][RX] received PAN_AGENT_FLATMSG_STATUS_REPLY
-0500 debug: pan_distributor_agent_proc(pan_distributor_agent.c:3212): agent 'UID-Panorama' stop processing
-0500 [CMS_AGENT][SENDMSG] hdr(0x556ccc0482f0)hdrl(16)fltm(0x556cce139150)fltml(38)
-0500 [CMS_AGENT] After coalesce of hdr and flat_msg new len is 54
-0500 [agent UID-Panorama][TX] PAN_AGENT_FLATMSG_STATUS_GET
-0500 debug: pan_distributor_agent_proc(pan_distributor_agent.c:3212): agent 'UID-Panorama' stop processing

• Palo Alto Firewalls
• PAN-OS 10.0 version or higher
• Panorama as User-ID Redistribution Agent
• Firewall as User-ID Redistribution Client

• In PAN-OS 10.0 version and higher, the code for redistribution was integrated into a new process called distributord.
• A relay was established between useridd and distributord, allowing useridd to forward new user-to-IP mappings to distributord for redistribution.
• An incorrect configuration on Panorama prevented the relay between useridd and distributord from functioning properly, leading to intermittent failures in redistribution.

1. Log in to the Panorama GUI
2. Navigate to Panorama > Setup > Interfaces
3. Click on the Management Interface
4. Under Network Services, enable the User-ID option
5. Click OK and commit the changes

This configuration ensures proper redistribution of user-to-IP mappings from Panorama to Firewalls, preventing the mappings from disappearing.