When executing the command clear user-cache for a specific IP address, it clears the user from the dataplane, but not from the management plane. This behavior seems to happen when testing the clear user-cache of a Captive Portal user to verify that user gets redirected to the Captive Portal page. Below are three examples of its behavior:
View the initial IP-user-mapping: > show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) ------- ------ -------- -------------- ------------- 1.1.1.1 vsys3 CP user1 895 3449 1.1.1.2 vsys3 CP user2 876 2912 Total: 2 users
Execute the clear user-cache command: > clear user-cache ip 1.1.1.1
> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) ------- ------ -------- -------------- ------------- 1.1.1.2 vsys3 CP user2 859 2895 Total: 1 users
When user1 requests the page again in a browser it redirects, but this time without providing any credentials through NTLM or on Captive Portal redirect. The device shows that user1 is still listed as a (Captive Portal) user: > show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) ------- ------ -------- ------------- ------------- 1.1.1.2 vsys3 CP user2 897 2873 1.1.1.1vsys3 CP user1 897 3410
Resolution
To avoid waiting for the TTL to expire while a test is being performed, execute the following commands and run the test again:
When executing these commands in a multi-vsys setup, first change the mode into the vsys.
> set system setting target-vsys <vsys>
> clear user-cache-mp ip x.x.x.x
> clear user-cache x.x.x.x (DP)
Note: The CLI command, clear user cache all, does not have any issues for example: