Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Executing 'clear user-cache' for a Specific Captive Portal User... - Knowledge Base - Palo Alto Networks

Executing 'clear user-cache' for a Specific Captive Portal User IP Address Does Not Completely Clear

61881
Created On 09/26/18 13:49 PM - Last Modified 06/07/23 17:18 PM


Resolution


Issue

When executing the command clear user-cache for a specific IP address, it clears the user from the dataplane, but not from the management plane. This behavior seems to happen when testing the clear user-cache of a Captive Portal user to verify that user gets redirected to the Captive Portal page. Below are three examples of its behavior:

 

  1. View the initial IP-user-mapping:
    > show user ip-user-mapping all
    IP Vsys  From    User      IdleTimeout(s) MaxTimeout(s)
    -------  ------  --------  -------------- -------------
    1.1.1.1  vsys3   CP user1  895 3449
    1.1.1.2  vsys3   CP user2  876 2912
    Total: 2 users

  2. Execute the clear user-cache command:
    > clear user-cache ip 1.1.1.1

    > show user ip-user-mapping all
    IP Vsys  From   User      IdleTimeout(s) MaxTimeout(s)
    -------  ------ --------  -------------- -------------
    1.1.1.2  vsys3  CP user2  859 2895
    Total: 1 users

  3. When user1 requests the page again in a browser it redirects, but this time without providing any credentials through NTLM or on Captive Portal redirect.
    The device shows that user1 is still listed as a (Captive Portal) user:
    > show user ip-user-mapping all
    IP Vsys  From   User      IdleTimeout(s) MaxTimeout(s)
    -------  ------ --------  -------------  -------------
    1.1.1.2  vsys3  CP user2  897 2873
    1.1.1.1  vsys3  CP user1  897 3410

 

Resolution

To avoid waiting for the TTL to expire while a test is being performed, execute the following commands and run the test again:

When executing these commands in a multi-vsys setup, first change the mode into the vsys.

  1. > set system setting target-vsys <vsys>
  2. > clear user-cache-mp ip x.x.x.x
  3. > clear user-cache x.x.x.x (DP)

 

Note: The CLI command, clear user cache all, does not have any issues for example:

  1. > set system setting target-vsys <vsys>
  2. > clear user cache all

 

owner: acamacho



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language