User-ID Agent Shows as 'not-conn' on the Palo Alto Networks Firewall

User-ID Agent Shows as 'not-conn' on the Palo Alto Networks Firewall

65946
Created On 09/25/18 19:48 PM - Last Modified 11/21/20 03:59 AM


Environment
  • PAN-OS 8.1, 9.0 and 9.1
  • Palo Alto Firewall.
  • User-ID Agent.


Resolution

The User-ID agent status on the Palo Alto Networks firewall shows as 'not-conn.'

admin@PA> show user user-id-agent state all

Agent: Agent1(vsys: vsys1) Host: 10.129.80.47:5007
        Status                                            : not-conn:idle
        Version                                           : 0x0
        num of connection tried                           : 13
        num of connection succeeded                       : 0
.....

 

From the GUI, the status looks like this:

Screen Shot 2016-04-01 at 4.43.52 pm.png

 

The 'non-conn' (non-connected) status can be due to various reasons. Be sure to check the following:

 

  1. A high-availability device, where the active device connects only to the User ID agent, and passive firewall always show as Not Connected.
  2. User ID agent is properly installed on the machine/server and that the host is listening on port 5007: User-ID Agent Setup Tips
  3. The firewall has proper reachability from the service route to the User-ID agent, and the port is not blocked anywhere in between.
  4. If using a User-ID collector, make sure the redistribution firewall is configured properly, and is reachable from the firewall. Also be sure the services and policies are properly allowed on the Redistribution firewall. Configure a Firewall to Share User Mapping Data with Other Firewalls
  5. Since the connection between the firewall and the redistribution firewall uses SSL, make sure the SSL certificate used by the firewall is not expired. Capture the handshake on the management port or the dataplane port (if service route is used) and expand the client certificate packet to find the validity. How To Packet Capture (tcpdump) On Management Interface
  6. Check the User-ID logs on the firewall to see if any errors are showing up:

     
    admin@PA> tail follow yes mp-log useridd.log
    ..Error:  __pan_print_msg(pan_sys.c:963): Failed to connect to 10.129.80.47(10.129.80.47):5007
    ..Error:  __pan_print_msg(pan_sys.c:963): Failed to connectto 10.129.80.47(5007): Internal Error
    ..Error:  pan_ssl_conn_open(pan_ssl_utils.c:383):pan_tcp_sock_open() failed


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000CldU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language