Hi Community, my first post so hopefully I am in the right area. I am running a multi-vsys setup with 5220's in Active-Active HA and using XMLAPI calls from Aruba ClearPass to send login/logout info as well as tags for use in dynamic object groups. It seems to be hit and miss with tags being registered for clients/IP addresses particularly on one vsys. From ClearPass I send the client info via the External Context Server function to all firewalls and vsys using the data plane and it seems quite random/intermittent with the multi-vsys setup. I have been through Aruba TAC for a few weeks now and I also have a case with Palo TAC looking at this also. An original ticket I had with Palo for this, I was sharing user-id between vsys using vsys1 as a user-id Hub, but that does not share dynamic tags info, only user-id so we went with sending the info to each vsys using a data plane interface. It seems to work, but the issue is, its intermittent/random. Most of the time it seems we get the 'login' info to both vsys, but the 'tag' is sometimes not registered with the vsys. I think this is a Palo problem, given we have debugged this to the nth degree on the ClearPass side. I am wondering if anyone else out there has used a similar setup? I am running PANOS 10.0.4. I have seen a bunch of user-id updates in future firmware and I have asked the TAC to investigate if anything is related to my problem. Thanks.
... View more