Server Monitoring Status stuck in "Connection Refused (0)" when using WinRM-HTTP/WinRM-HTTPS

Server Monitoring Status stuck in "Connection Refused (0)" when using WinRM-HTTP/WinRM-HTTPS

71880
Created On 01/25/22 00:11 AM - Last Modified 12/12/25 00:01 AM


Symptom


  • Domain Controller being monitored for security events shows a status of "Connection Refused (0)".
  • User to IP mappings cannot be seen from the Domain Controller.

Environment


  • PA Firewall using the PAN-OS Integrated User-ID Agent.
  • Domain Controller being monitored using WinRM-HTTP or WinRM-HTTPS as a transport method.

Cause


There is no HTTP response code of 0. The "0" in the Server Monitoring status signals that the firewall is not receiving a response from the Domain Controller. When the firewall does not see a response, by default it fills the response code field with a 0. This can be caused by a few things:
  • The firewall, or another device is blocking the Windows Remote Management traffic on port 5985.
  • The configured server monitor account username has the wrong syntax (When FQDN is specified instead of IP address under Server Monitor).
  • The Firewall cannot resolve the hostname of the Domain Controller.

Resolution


  1. Check useridd.log for the following error message: 
    Error:  pan_user_id_winrm_query(pan_user_id_win.c:2698): Connection failed. response code = 0, error: Failure when receiving data from the peer in vsys 1, server=server.pantac.local.lab.

    If you see this error message, that means either the WinRM traffic on port 5985 is being blocked, or the Username configured under Device > User Identification > Palo Alto Networks User-ID

     Agent Setup > Server Monitor Account has the wrong syntax. An example of the correct syntax for the "pan_agent" user in the "pantac.local.lab" domain would be the following:
    pantac\pan_agent
    This syntax is required when the Domain Controller is specified using its FQDN under Device >> User Identification >> Server Monitor.
  2. Another possible error message that can be seen in useridd.log: 
    Error:  pan_user_id_winrm_query(pan_user_id_win.c:2698): Connection failed. response code = 0, error: Couldn't resolve host name in vsys 1, server=server.pantac.local.lab
    If you see this message, it indicates a DNS resolution issue where the firewall cannot resolve the hostname of the server it is trying to monitor. Please check that the DNS Server configured in Device > Setup > Services is correct and can resolve the Domain Controller's hostname. The A record for the domain might be missing from the DNS server.
  3. Another possible error message that can be seen in the useridd.log: 
    Error: pan_user_id_winrm_query(pan_user_id_win.c:2838): Connection failed. response code = 0, Error: Couldn't connect to server in vsys 1, Server=AMS01MCSWDCP3.tasnee.local.
This error most often points to issues on the server side or with the network path, rather than a misconfiguration on the firewall itself. 

Here are the common causes and how to address them:

  • WinRM Service Issues: The WinRM (Windows Remote Management) service on the server being monitored may not be running or configured correctly. This can happen after events like a server reboot.

    • Remediation:

      • Verify that the WinRM service is running on the target server.
      • Restart the WinRM service on the server and monitor the connection status on the firewall.
  • Blocked Network Traffic: The connection from the firewall's management interface to the server on the required WinRM port (typically TCP 5985 for HTTP or 5986 for HTTPS) might be blocked.
    • Remediation:
      • Check for any intermediate network devices (like other firewalls or routers) or host-based firewalls (like Windows Firewall) on the server itself.
      • A Group Policy Object (GPO) on the server could be blocking the firewall's management IP address. Ensure that firewall rules and GPOs allow traffic from the firewall's management IP to the server on the correct WinRM port.
  • User Account Permissions: The service account used by the firewall for server monitoring might lack the necessary permissions to connect via WinRM.
    • Remediation:
      • Ensure the dedicated service account is a member of the required security groups on the Windows Domain Controller, such as Distributed COM Users, Event Log Readers, and Remote Management Users.
  • Incorrect Server Configuration: This can include issues with how the server is configured to listen for WinRM connections.
    • Remediation:
      • Double-check the server-side WinRM listener configuration to ensure it is set up correctly for either HTTP or HTTPS communication as configured on the firewall. For WinRM-HTTPS, this also includes verifying the associated certificates.

In summary, troubleshooting this error involves verifying connectivity from the firewall to the server, ensuring the WinRM service on the server is operational, and confirming the service account has the correct permissions.

Additional Information


For more information about what an HTTP response code of 0 means you can refer to this Stack Overflow thread:
https://stackoverflow.com/questions/872206/what-does-it-mean-when-an-http-request-returns-status-code-0
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN4BCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language