尝试在防火墙上检索 CIE 组时出现错误“无法检索区域的tenantDomain”

尝试在防火墙上检索 CIE 组时出现错误“无法检索区域的tenantDomain”

10223
Created On 12/06/22 16:04 PM - Last Modified 07/24/24 14:36 PM


Symptom


(检查“附加信息”以在调试模式下运行 dscd.log)
{"level":"debug","time":"2022-12-02T07:56:44.339811754Z","message":"[CFG-DATA] Sending query to fetch tenantDomain for region europe"} 
{"level":"debug","time":"2022-12-02T07:56:44.339862462Z","message":"[CFG-DATA] TenantDomain: Get tenant Domains url: https://app-directory-sync.eu.paloaltonetworks.com/service/directory/v1/tenantdomains"} 
{"level":"debug","time":"2022-12-02T07:56:44.438575944Z","message":"[CERT-VERIFY]Use local source address 10.14.22.240 for http request"}
{"level":"debug","time":"2022-12-02T07:56:44.440328384Z","message":"[CERT-VERIFY]Use local source address 10.14.22.240 for http request"}
{"level":"debug","time":"2022-12-02T07:56:44.442030888Z","message":"[CERT-VERIFY]Use local source address 10.14.22.240 for http request"}
{"level":"debug","time":"2022-12-02T07:56:44.443351098Z","message":"[CERT-VERIFY]Use local source address 10.14.22.240 for http request"}
{"level":"error","time":"2022-12-02T07:56:46.724860938Z","message":"Failed to retrieve tenantDomain for region europe"}


 

Environment


  • 帕洛阿尔托防火墙或全景
  • 泛操作系统 10.1 及更高版本。
  • PAN-OS 防火墙从 Cloud Identity Engine 检索组映射。
  • 具有云目录配置的 Cloud Identity Engine。

Cause


  • 需要成功进行区域提取才能检索 CIE 组。
  • dscd 日志表明区域获取失败。

Resolution


确保租户域 URL(如 dscd.log 中所示)可从防火墙访问。

Additional Information


注1: URL 根据配置 CIE 的区域而变化。

可以通过运行以下命令在调试级别启用 dscd.log: 
> debug user-id dscd on debug
您可以通过运行以下命令来恢复更改: 
> debug user-id dscd on info
笔记2: Cloud Identity Engine 使用 Palo Alto Networks Services 服务路由。
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sa3YCAQ&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language