Firewall intermittently not updating user to ip mapping with longest timeout
753
Created On 07/10/22 20:54 PM - Last Modified 11/07/25 21:04 PM
Symptom
When the firewall receives user to ip mapping information with different timeout values from multiple sources, the timeout applied on the mappings is inconsistent. This could lead to mapping update being deleted and users not matching correct security policies or their access getting denied.
Environment
- User Id
Cause
When the firewall receives multiple mapping updates with different timeout values from multiple sources, it only installs the first mapping update with the timeout value it received.
The firewall installs mapping updates with the timeout value it received in the first update based on the factor completion time. Factor completion time is the time when the event log on the Domain controller is generated using which the agents generated the mapping. If the mapping information on multiple updates has same factor completion time, the firewall will install mapping with timeout value it received on the first update.
The UserId log in the UI will not indicate if any of the mapping updates are being ignored. The firewall would just log all the ip mappings it received from all agents connected to it.
This can be verified on cli by running the commands below. One can see the latest mapping update being ignored in this example.
> debug user-id set userid basic
> debug user-id on debug
> tail follow yes mp-log useridd.log
2022-07-10 15:47:27.590 -0500 debug: pan_user_id_ipusers_mp_table_add(pan_user_id_ipuser.c:463): ip 172.16.105.5(3) login time changed from 1657565024 to 1657568669
2022-07-10 15:47:35.379 -0500 debug: pan_user_msg_readin(pan_user_msg.c:1282): pan_ssl_readn_nowait() returns closure alert.
2022-07-10 15:47:35.379 -0500 Error: pan_user_id_agent_send_and_recv_msgs(pan_user_id_agent.c:3145): pan_user_msgs_recv() failed
2022-07-10 15:47:35.379 -0500 Error: pan_user_id_agent_uia_proc_v5(pan_user_id_uia_v5.c:1252): pan_user_id_agent_send_and_recv_msgs() failed for DC2(1)
2022-07-10 15:47:40.389 -0500 debug: pan_user_id_agent_init_connect(pan_user_id_agent.c:1585): connecting to agent DC2(1)
2022-07-10 15:47:40.420 -0500 debug: pan_user_id_agent_init_connect(pan_user_id_agent.c:1688): Agent DC2(vsys1)
2022-07-10 15:47:40.422 -0500 debug: pan_user_id_uia_send_req_ip(pan_user_id_uia_v5.c:1005): Getting all ip from agent DC2(1)
2022-07-10 15:47:40.466 -0500 debug: pan_user_id_update_dns_map(pan_user_id_cfg.c:5615): DNS map is not changed
2022-07-10 15:47:40.466 -0500 debug: pan_user_id_ipusers_mp_table_add(pan_user_id_ipuser.c:446): Ignore outdated or duplicate ip-user adding for ip 172.16.105.5, uid 3 : login time 1657568669 is older than or equal to 1657568669
Resolution
To fix this inconsistent behavior, the timeout value on all the agents connected to the firewall needs to have the same timeout value.