Original Message:
Sent: Oct 08, 2024 02:21 AM
From: Palves
Subject: PAN Integration | message:Missing vsys
I'm afraid not, we never figured it out. We ended up ditching the PAN-integration on the wlan-controllers, using syslog (from the wlan-controllers) and Clearpass for UserID instead.
Original Message:
Sent: Oct 07, 2024 09:36 AM
From: davidrickard
Subject: PAN Integration | message:Missing vsys
Hi @Palves, did you get an answer for this? I am just finding the same thing.
Original Message:
Sent: Oct 24, 2023 02:36 AM
From: Palves
Subject: PAN Integration | message:Missing vsys
There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.
Original Message:
Sent: Oct 20, 2023 10:48 AM
From: Herman Robers
Subject: PAN Integration | message:Missing vsys
It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 19, 2023 09:42 AM
From: Palves
Subject: PAN Integration | message:Missing vsys
Sometimes clients don't get User-ID using the PAN integration on our wireless controllers. This only happens to a few random users, everything else works just fine. Rebooting the client or kicking it off the wireless network usually does the trick.
show pan debug on the controller shows the following:
(Wlan-controller1) *#show pan debugPalo Alto Networks Interface Debug Information----------------------------------------------User Changed User Deleted User Deactivated Refresh Login Reqts Logout Reqts Refresh Reqts No UserName No Change No Deletion------------ ------------ ---------------- ------- ----------- ------------ ------------- ----------- --------- -----------140864 71181 2919 1960 80218 61071 2334 1340 52342 17074Per-PAN server Debug Information--------------------------------PAN Server State User-ID Reqts Sent Skipped Success Failure Last Error---------- ----- ------------- ---- ------- ------- ------- ----------x.x.x.x:443 UP[10/19/23 14:51:25]Established 1133 1133 0 1129 4 [10/19/23 15:09:11]request143283-PAN-UID-S<D:172.22.x.y>-<1002>:<message:Missing vsys>x.x.x.y:443 UP[10/19/23 14:51:26]Established 1133 1133 0 1131 2 [10/19/23 15:15:26]request143579-PAN-UID-S<D:172.20.x.y>-<1002>:<message:Missing vsys>
We do use vsys on our firewalls, but there is no vsys-settings for the PAN integration.
We recently upgraded to AOS 8.10, but I can not say for sure that the issue wasn't there before the upgrade.
Any ideas of how to proceed? I'm not even sure if it's a Palo Alto or Aruba-issue.