topic Re: The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys in General Topics https://live.paloaltonetworks.com/t5/general-topics/the-dreaded-user-id-dynamic-tags-xmlapi-and-multi-vsys/m-p/540671#M110890 <P>For what it's worth, I had some weird issues with IP-User mapping and then when I went from CPPM (I believe) 6.8 to 6.9 to 6.10, things mysteriously became better. Aruba didn't have anything to say about it. Now, as far as dynamic tags, I'm re-visiting that.</P> Mon, 01 May 2023 21:12:56 GMT JimRussell 2023-05-01T21:12:56Z The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys https://live.paloaltonetworks.com/t5/general-topics/the-dreaded-user-id-dynamic-tags-xmlapi-and-multi-vsys/m-p/447103#M100653 <P>Hi Community, my first post so hopefully I am in the right area.</P><P>I am running a multi-vsys setup with 5220's in Active-Active HA and using XMLAPI calls from Aruba ClearPass to send login/logout info as well as tags for use in dynamic object groups. It seems to be hit and miss with tags being registered for clients/IP addresses particularly on one vsys. From ClearPass I send the client info via the External Context Server function to all firewalls and vsys using the data plane and it seems quite random/intermittent with the multi-vsys setup.</P><P>I have been through Aruba TAC for a few weeks now and I also have a case with Palo TAC looking at this also. An original ticket I had with Palo for this, I was sharing user-id between vsys using vsys1 as a user-id Hub, but that does not share dynamic tags info, only user-id so we went with sending the info to each vsys using a data plane interface. It seems to work, but the issue is, its intermittent/random. Most of the time it seems we get the 'login' info to both vsys, but the 'tag' is sometimes not registered with the vsys. I think this is a Palo problem, given we have debugged this to the nth degree on the ClearPass side.</P><P>I am wondering if anyone else out there has used a similar setup? I am running PANOS 10.0.4. I have seen a bunch of user-id updates in future firmware and I have asked the TAC to investigate if anything is related to my problem. Thanks.</P> Thu, 11 Nov 2021 23:05:24 GMT https://live.paloaltonetworks.com/t5/general-topics/the-dreaded-user-id-dynamic-tags-xmlapi-and-multi-vsys/m-p/447103#M100653 gfirth77 2021-11-11T23:05:24Z Re: The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys https://live.paloaltonetworks.com/t5/general-topics/the-dreaded-user-id-dynamic-tags-xmlapi-and-multi-vsys/m-p/540671#M110890 <P>For what it's worth, I had some weird issues with IP-User mapping and then when I went from CPPM (I believe) 6.8 to 6.9 to 6.10, things mysteriously became better. Aruba didn't have anything to say about it. Now, as far as dynamic tags, I'm re-visiting that.</P> Mon, 01 May 2023 21:12:56 GMT https://live.paloaltonetworks.com/t5/general-topics/the-dreaded-user-id-dynamic-tags-xmlapi-and-multi-vsys/m-p/540671#M110890 JimRussell 2023-05-01T21:12:56Z