Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Entries in User-ID table show info pushed from XMLAPI never timeout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Entries in User-ID table show info pushed from XMLAPI never timeout

L2 Linker

Hi guys,

My customer previously used XMLAPI to push User-ID info to Palo Alto but they now have an Aruba Clearpass appliance which will be handling all User-ID information via Syslog.

Due to software issues they cannot currently use XMLAPI between Clearpass and Palo Alto as the system has multiple vsys. Now the issue is that there are a lot of entries in the User-ID table from XMLAPI with a timeout of never, they have tried disabling all XMLAPI settings on devices and denying HTTPS traffic from these devices to the Palo Alto yet whenever they clear the User cache these entries are instantly re-populated, an example is shown below.

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

10.82.233.137   vsys1  XMLAPI  xxx\176724                 Never          Never

10.83.161.130   vsys1  XMLAPI  xxxc\pcipad              Never          Never

Did anyone have ever seen similar issues?

Thanks,

Cheers,

Mel

6 REPLIES 6

L3 Networker

Hi Mel.Li,

Did you also clear mp cache? I presume you had been trying to clear only dp logs.

Command to clear mp cache,

>clear user-cache-mp all

Clear dp cache followed by mp clear,

>clear user-cache all

Hope this helps.

Thank You.

Hi Guys,

thanks for your reply. We did test to clear user information from mp and dp, but the users are still showing up in the user id table as XMLAPI.

We have opened a support case with PA TAC.

Will update once the true cause has been found.

Thanks,

Cheers,

Mel

What version? And are you sure the API is not being updated? The clear command worked for me. You could also add a timeout and send that to all your api know users therefor they would timeout.

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.254.1   vsys1  XMLAPI  dominic                          Never          Never       

Total: 1 users

admin@PA-200> clear user-cache all

All entries in user cache removed!

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

Total: 0 users

admin@PA-200>

Hi Dburns,

The commands works for my customer but after a while there are user entries showing XMLAPI again in the user id table.

Customer confirmed they have removed the API setting. But will confirm with them again to see what exactly happend.

Thanks for your comments.

Cheers,

Mel

Hi,

 

Do you remember the solution for this old issue ?Or does anyone have any idea ?

we are having the same issue now.Thanks

 

Regards

 

L2 Linker

Hi, anyone got the solution for this?  My user entries showing XMLAPI in the place for User-id agents.

  • 6094 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!