Entries in User-ID table show info pushed from XMLAPI never timeout

Reply
L2 Linker

Entries in User-ID table show info pushed from XMLAPI never timeout

Hi guys,

My customer previously used XMLAPI to push User-ID info to Palo Alto but they now have an Aruba Clearpass appliance which will be handling all User-ID information via Syslog.

Due to software issues they cannot currently use XMLAPI between Clearpass and Palo Alto as the system has multiple vsys. Now the issue is that there are a lot of entries in the User-ID table from XMLAPI with a timeout of never, they have tried disabling all XMLAPI settings on devices and denying HTTPS traffic from these devices to the Palo Alto yet whenever they clear the User cache these entries are instantly re-populated, an example is shown below.

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

10.82.233.137   vsys1  XMLAPI  xxx\176724                 Never          Never

10.83.161.130   vsys1  XMLAPI  xxxc\pcipad              Never          Never

Did anyone have ever seen similar issues?

Thanks,

Cheers,

Mel

Tags (1)
prb
L3 Networker

Re: Entries in User-ID table show info pushed from XMLAPI never timeout

Hi Mel.Li,

Did you also clear mp cache? I presume you had been trying to clear only dp logs.

Command to clear mp cache,

>clear user-cache-mp all

Clear dp cache followed by mp clear,

>clear user-cache all

Hope this helps.

Thank You.

L2 Linker

Re: Entries in User-ID table show info pushed from XMLAPI never timeout

Hi Guys,

thanks for your reply. We did test to clear user information from mp and dp, but the users are still showing up in the user id table as XMLAPI.

We have opened a support case with PA TAC.

Will update once the true cause has been found.

Thanks,

Cheers,

Mel

Highlighted
L4 Transporter

Re: Entries in User-ID table show info pushed from XMLAPI never timeout

What version? And are you sure the API is not being updated? The clear command worked for me. You could also add a timeout and send that to all your api know users therefor they would timeout.

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.254.1   vsys1  XMLAPI  dominic                          Never          Never       

Total: 1 users

admin@PA-200> clear user-cache all

All entries in user cache removed!

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

admin@PA-200>

L2 Linker

Re: Entries in User-ID table show info pushed from XMLAPI never timeout

Hi Dburns,

The commands works for my customer but after a while there are user entries showing XMLAPI again in the user id table.

Customer confirmed they have removed the API setting. But will confirm with them again to see what exactly happend.

Thanks for your comments.

Cheers,

Mel

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!