This document provides resolution for the error "get-ldap-data failure" repeatedly in the system logs.
Getting the error "get-ldap-data-failure" in the system logs every few minutes.
This issue is caused when the firewall is trying to fetch the group information from the AD and the group is no longer present on the AD.
In the command line, type less mp-log useridd.log. Look for the below error with the timestamp from the sytem logs
2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3011): failed to get group obj for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'
2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3501): pan_ldap_ctrl_search_single_group() failed for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'
Check under Group mapping settings in Group Include List > Included Groups for this group.
Next, check if the group is still present on the AD server. If the group is deleted from AD, remove the group from the firewall and commit the changes.