Wireless Access

 View Only

  • 1.  PAN Integration Failing

    Posted Mar 24, 2016 02:21 PM

    I'm having some issues with PAN Integration failing and I've had a ticket open since early January with no luck.  Maybe one of you guys has seen and solved the issue or at least could point me in the right direction.

     

    I have a 3600 Controller running 6.4.2.15.  I've seen this issue across multiple 6.x PAN firewall versions and into version 7.x.  My configuration is correct and has been verified by me and Aruba countless times, removed, put back in multiple times via both command line and GUI multiple times, etc.

     

    In the controller 'show pan debug' shows both of my PAN firewalls as 'established'.  Statistics, however, show all User-ID-Reqts as 'skipped' with 0 sent.

     

    I've captured the traffic between the Aruba Controller and the PAN firewalls and what I see is consistently is an SSL session being set up, then closed immediately.

     

    I think what is possibly causing the problem is that web access on our PAN firewall requires a client side cert that is signed by a trusted CA.  The Aruba Controller has a "server" cert that is signed by our CA.  Is this the cert it would present in this exchange, or something else?

     

    Any help would be appreciated.

     

    Thanks!

     

     



  • 2.  RE: PAN Integration Failing

    Posted Mar 24, 2016 03:00 PM

    After some further testing, if I hit the web management on the PAN firewall and don't provide my client cert - I get to a 'no cert provided' error page from the PAN, but this never shows up in any logs on the PAN.  So it's likely that this is what's happening to the Aruba.  I'll just send syslog to a user-ID agent, parse it, and get it to the PAN that way.  It seems straight forward.

     

    https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Collect-the-User-IP-Mappings-from-a-Syslog-Sender-Using/ta-p/62085

     

    Thanks.



Related Content