Wireless Access

Sometimes clients don't get User-ID  using the PAN integration on our wireless controllers. This only happens to a few random users, everything else works just fine. Rebooting the client or kicking it off the wireless network usually does the trick.

show pan debug on the controller shows the following:

(Wlan-controller1) *#show pan debug

Palo Alto Networks Interface Debug Information
----------------------------------------------
User Changed  User Deleted  User Deactivated  Refresh  Login Reqts  Logout Reqts  Refresh Reqts  No UserName  No Change  No Deletion
------------  ------------  ----------------  -------  -----------  ------------  -------------  -----------  ---------  -----------
140864        71181         2919              1960     80218        61071         2334           1340         52342      17074

Per-PAN server Debug Information
--------------------------------
PAN Server       State                             User-ID Reqts  Sent  Skipped  Success  Failure  Last Error
----------       -----                             -------------  ----  -------  -------  -------  ----------
x.x.x.x:443  UP[10/19/23 14:51:25]Established  1133           1133  0        1129     4        [10/19/23 15:09:11]request143283-PAN-UID-S<D:172.22.x.y>-<1002>:<message:Missing vsys>
x.x.x.y:443  UP[10/19/23 14:51:26]Established  1133           1133  0        1131     2        [10/19/23 15:15:26]request143579-PAN-UID-S<D:172.20.x.y>-<1002>:<message:Missing vsys>

We do use vsys on our firewalls, but there is no vsys-settings for the PAN integration.

We recently upgraded to AOS 8.10, but I can not say for sure that the issue wasn't there before the upgrade.

Any ideas of how to proceed? I'm not even sure if it's a Palo Alto or Aruba-issue.

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.

Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi @Palves, did you get an answer for this?  I am just finding the same thing. 

Original Message:
Sent: Oct 24, 2023 02:36 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.

Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

I'm afraid not, we never figured it out. We ended up ditching the PAN-integration on the wlan-controllers, using syslog (from the wlan-controllers) and Clearpass for UserID instead.

Original Message:
Sent: Oct 07, 2024 09:36 AM
From: davidrickard
Subject: PAN Integration | message:Missing vsys

Hi @Palves, did you get an answer for this?  I am just finding the same thing. 

Original Message:
Sent: Oct 24, 2023 02:36 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.

Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Thanks Palves, this sounds like it's too late for you, but Aruba TAC have responded saying that this may be another form of a known bug fixed in 8.10.0.11.  I am about to upgrade to 8.10.0.14 so will see if the problem goes away.

Bug ID AOS-239653 from the ArubaOS 8.10.0.11 Release Notes (arubanetworks.com)

After disconnecting from a wireless AP using 802.1x secured SSID, some clients were not logged out of the Palo Alto firewall. If the same client tried to connect again with a different username, it caused the controller to not logout the previous username and did not ask for a login for the new username. This caused the firewall not to update host information nor associate with correct firewall policy. The fix ensures the controllers work as expected.
This issue was observed in controllers running ArubaOS 8.9.0.3 or later versions.

Original Message:
Sent: Oct 08, 2024 02:21 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

I'm afraid not, we never figured it out. We ended up ditching the PAN-integration on the wlan-controllers, using syslog (from the wlan-controllers) and Clearpass for UserID instead.

Original Message:
Sent: Oct 07, 2024 09:36 AM
From: davidrickard
Subject: PAN Integration | message:Missing vsys

Hi @Palves, did you get an answer for this?  I am just finding the same thing. 

Original Message:
Sent: Oct 24, 2023 02:36 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.

Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Just for the record, I have had a ticket open with Aruba TAC for 20 months on the problem of controllers not updating the palo XMLAPI correctly.  The last update from TAC was that other people have had the same problem and aruba couldn't fix it so they threw the kitchen sink at it by adding both CPPM updates AND syslog from the controller.

...the Engineering team worked closely with the customer, who provided PAN-side debug logs and collaborated with the PAN team on the analysis. Based on the findings, the customer implemented additional User-ID synchronization mechanisms with their firewall, including MC authentication syslog forwarding and parsing, as well as ClearPass telemetry forwarding, to address the issues observed earlier. While each of these methods has certain limitations when used independently, running all three in parallel has been providing stable and acceptable results in their environment.As a result, the customer was able to resolve the issue.

I have also tried using ClearPass and that is worse than the controller updates.  I have CPPM configured to update my two firewalls and most updates only end up going to one of the two and the updates are so delayed that they can take up to 5 minutes to arrive at the firewall, by which time the user session has finished.

Syslog is not a suitable solution in my opinion because it involves throwing huge amounts of completely irrelevant traffic at the firewalls as the controllers can't filter just the relevant messages and anyway, how is that an answer to what is clearly buggy code in the API - if you can send the right messages via syslog (and who is to say that gets it right anyway?), then there's no excuse for not sending them via the API.  

I'll probably get bad marks on the forum for this, but it is utterly appalling code and support from Aruba.

Original Message:
Sent: Oct 08, 2024 02:21 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

I'm afraid not, we never figured it out. We ended up ditching the PAN-integration on the wlan-controllers, using syslog (from the wlan-controllers) and Clearpass for UserID instead.

Original Message:
Sent: Oct 07, 2024 09:36 AM
From: davidrickard
Subject: PAN Integration | message:Missing vsys

Hi @Palves, did you get an answer for this?  I am just finding the same thing. 

Original Message:
Sent: Oct 24, 2023 02:36 AM
From: Palves
Subject: PAN Integration | message:Missing vsys

There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.

Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys

It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.