Reset Search
 

 

Article

KB43640 - Palo Alto Firewall acting as an enforcer returns error "No multiusersystem configured"

« Go Back

Information

 
Last Modified Date10/18/2018 6:50 PM
Synopsis
This article describes an issue where Palo Alto firewall returns an error message of "No multiuser system configured" when acting as an enforcer.
Problem or Goal
An issue has been discovered with Palo Alto firewalls running PANOS 8.0.6 or later that act as enforcers. When the PPS attempts to remove an auth table entry the Palo Alto firewall does remove the auth table entry but returns an error message that contains the message "No multiusersystem configured". The PPS interprets this error to mean that the auth table has not been removed. This causes the PPS to retain the now stale auth table entry in memory. Over time the list of auth tables can become so large that reconciliation between the PAN firewall and the PPS will fail to complete properly. This can result in stability issues on the PPS as it tries to reconcile over and over, in some cases new auth tables will not be provisioned.

In short if you are seeing the "No multiusersystem configured" message on your PPS event log you will likely experience an outage unless corrective steps are taken.
 
Cause
This issue occurs due to a non-configurable attribute in the REST API call from the PPS to remove an existing auth table will trigger the error response from the PAN firewall.
Solution

To resolve this issue, please upgrade to the following releases:

  • Pulse Policy Secure 5.4R6 and above
  • Pulse Policy Secure 9.0R1 and above

Workaround:

If upgrade is not possible, purge the auth table database on the PPS by removing and re-adding the Palo Alto firewall.

Note: There is no way to view the size of the auth table list on the PPS at this time.

Related Links
Attachment 1 
Created ByBrian Pimentel

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255