Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Server Monitoring Status stuck in "Connection Refused (0)" when using WinRM-HTTP/WinRM-HTTPS

Server Monitoring Status stuck in "Connection Refused (0)" when using WinRM-HTTP/WinRM-HTTPS

58233
Created On 01/25/22 00:11 AM - Last Modified 11/04/22 01:42 AM


Symptom


  • Domain Controller being monitored for security events shows a status of "Connection Refused (0)".
  • User to IP mappings cannot be seen from the Domain Controller.

Environment


  • PA Firewall using the PAN-OS Integrated User-ID Agent.
  • Domain Controller being monitored using WinRM-HTTP or WinRM-HTTPS as a transport method.

Cause


There is no HTTP response code of 0. The "0" in the Server Monitoring status signals that the firewall is not receiving a response from the Domain Controller. When the firewall does not see a response, by default it fills the response code field with a 0. This can be caused by a few things:
  • The firewall, or another device is blocking the Windows Remote Management traffic on port 5985.
  • The configured server monitor account username has the wrong syntax (When FQDN is specified instead of IP address under Server Monitor).
  • The Firewall cannot resolve the hostname of the Domain Controller.

Resolution


1. Check useridd.log for the following error message: 
Error:  pan_user_id_winrm_query(pan_user_id_win.c:2698): Connection failed. response code = 0, error: Failure when receiving data from the peer in vsys 1, server=server.pantac.local.lab.

If you see this error message, that means either the WinRM traffic on port 5985 is being blocked, or the Username configured under Device > User Identification > Palo Alto Networks User-ID Agent Setup > Server Monitor Account has the wrong syntax. An example of the correct syntax for the "pan_agent" user in the "pantac.local.lab" domain would be the following:
pantac\pan_agent

This syntax is required when the Domain Controller is specified using its FQDN under Device >> User Identification >> Server Monitor

2. Another possible error message that can be seen in useridd.log: 
Error:  pan_user_id_winrm_query(pan_user_id_win.c:2698): Connection failed. response code = 0, error: Couldn't resolve host name in vsys 1, server=server.pantac.local.lab

If you see this message, the firewall is unable to resolve the hostname configured under Server Monitoring. Please check that the DNS Server configured in Device > Setup > Services is correct and can resolve the Domain Controller's hostname.
 

Additional Information


For more information about what an HTTP response code of 0 means you can refer to this Stack Overflow thread:
https://stackoverflow.com/questions/872206/what-does-it-mean-when-an-http-request-returns-status-code-0
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,311
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN4BCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language