I have configured an enforcement profile to send my Palo Alto the user's UserID and HIP data. We notice that the CPPM server resends records well after a user has left the premises.
To test I disabled the profile match statement so no new data would be sent and I see that CPPM continues to resend records, now several days later.
Is this a feature or a bug? No sessions are still active, and no event has matched the enforcemnt profile in 6 days, yet I'm still getting new XMLapi connections on the PA firewall.
How do I make ClearPass stop sending?
TAC reports that this is a "known bug" and I'm now (im)patiently waiting for word on a fix.
Any updates on this? We noticed this behaviour in our environment as well. I could not find any hints on a known bug in the release notes. IMHO the Palo Alto context server option is not usable like that. ClearPass also keeps sending the API request if the context server is deleted. That must be a bug. Timeout settings also do not seem to work.
I'm sorry I let this thread go without updating.
The next patch fixed the issue and we haven't seen it again.
I can't tell you exactly which version it was that fixed it, but we patch within a few days of each release.
That's strange because we are on 6.8.0, update to latest 6.8.1 is pending. I think I will give the latest version a try and contact TAC otherwise. For now we disabled the API access on PAN site because ClearPass doesn't stop sending requests.
Recently had a TAC case, turned out that it is a known bug again. But there exists a workaround:
That fixed it for me.
Thanks, we recently turned this feature back on and I was seeing the returned bug (CPPM version 6.9.3.x) and am now trying the work-around.
Nope - still continuing to update stale records. Heading to TAC.
ClearPass leaves stale entries when a client roams from one ClearPass server to another.
In a cluster environment where the user first authenticated on one ClearPass server and later authenticated on a different ClearPass server, ClearPass might leave a stale entry in a Palo Alto Networks (PANW) server.
Workaround: If you use a load balancer to load-balance ClearPass RADIUS traffic, configure a load balancing algorithm that maintains connection persistence based on a RADIUS username.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.