Wireless Access

 View Only
  • 1.  PAN Integration | message:Missing vsys

    Posted Oct 19, 2023 09:42 AM

    Sometimes clients don't get User-ID  using the PAN integration on our wireless controllers. This only happens to a few random users, everything else works just fine. Rebooting the client or kicking it off the wireless network usually does the trick.

    show pan debug on the controller shows the following:

    (Wlan-controller1) *#show pan debug
    
    Palo Alto Networks Interface Debug Information
    ----------------------------------------------
    User Changed  User Deleted  User Deactivated  Refresh  Login Reqts  Logout Reqts  Refresh Reqts  No UserName  No Change  No Deletion
    ------------  ------------  ----------------  -------  -----------  ------------  -------------  -----------  ---------  -----------
    140864        71181         2919              1960     80218        61071         2334           1340         52342      17074
    
    Per-PAN server Debug Information
    --------------------------------
    PAN Server       State                             User-ID Reqts  Sent  Skipped  Success  Failure  Last Error
    ----------       -----                             -------------  ----  -------  -------  -------  ----------
    x.x.x.x:443  UP[10/19/23 14:51:25]Established  1133           1133  0        1129     4        [10/19/23 15:09:11]request143283-PAN-UID-S<D:172.22.x.y>-<1002>:<message:Missing vsys>
    x.x.x.y:443  UP[10/19/23 14:51:26]Established  1133           1133  0        1131     2        [10/19/23 15:15:26]request143579-PAN-UID-S<D:172.20.x.y>-<1002>:<message:Missing vsys>

    We do use vsys on our firewalls, but there is no vsys-settings for the PAN integration.

    We recently upgraded to AOS 8.10, but I can not say for sure that the issue wasn't there before the upgrade.

    Any ideas of how to proceed? I'm not even sure if it's a Palo Alto or Aruba-issue.



  • 2.  RE: PAN Integration | message:Missing vsys

    Posted Oct 20, 2023 10:49 AM

    It's a long time ago that I last heard about the Palo Alto integration, and I'm not even sure if vsys is supported for the direct integration from the controllers. Many customers use ClearPass, which is more recent. Your best chance may be to open a TAC case. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: PAN Integration | message:Missing vsys

    Posted Oct 24, 2023 02:36 AM

    There's no vsys-settings as far as I can tell. But with data redistribution and vsys 1 on the firewall acting as a userid-hub, that's not an issue. It's been working more or less bulletproof for many years. We did use Clearpass/syslog for userid previously, but had a few issues back then. I guess I have to open a TAC case.




  • 4.  RE: PAN Integration | message:Missing vsys

    Posted 26 days ago

    Hi @Palves, did you get an answer for this?  I am just finding the same thing. 




  • 5.  RE: PAN Integration | message:Missing vsys

    Posted 25 days ago

    I'm afraid not, we never figured it out. We ended up ditching the PAN-integration on the wlan-controllers, using syslog (from the wlan-controllers) and Clearpass for UserID instead.




  • 6.  RE: PAN Integration | message:Missing vsys

    Posted 16 days ago

    Thanks Palves, this sounds like it's too late for you, but Aruba TAC have responded saying that this may be another form of a known bug fixed in 8.10.0.11.  I am about to upgrade to 8.10.0.14 so will see if the problem goes away.

    Bug ID AOS-239653 from the ArubaOS 8.10.0.11 Release Notes (arubanetworks.com)

    After disconnecting from a wireless AP using 802.1x secured SSID, some clients were not logged out of the Palo Alto firewall. If the same client tried to connect again with a different username, it caused the controller to not logout the previous username and did not ask for a login for the new username. This caused the firewall not to update host information nor associate with correct firewall policy. The fix ensures the controllers work as expected.
    This issue was observed in controllers running ArubaOS 8.9.0.3 or later versions.