topic Re: PDP/PEP Identity Sharing Not In Sync? in Firewall and Security Management

PDP/PEP Identity Sharing Not In Sync?

Daniel_Taney — Mon, 22 Apr 2019 19:38:20 GMT

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!

I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?

From the PDP Gateway:
pep show pdp all
Command: root->show->pdp->all
-----------------------------------------------------------------------
| Direction | IP | ID | Status | Users | Connect time |
-----------------------------------------------------------------------
| Incoming | 127.0.0.1 | 0 | Connected | 460 | 21Feb2019 6:16:33 |
-----------------------------------------------------------------------

From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:
pep show pdp all
Command: root->show->pdp->all
-------------------------------------------------------------------------
| Direction | IP | ID | Status | Users | Connect time |
-------------------------------------------------------------------------
| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |
-------------------------------------------------------------------------
| Incoming | 127.0.0.1 | 0 | Connected | 0 | 8Apr2019 5:16:48 |
-------------------------------------------------------------------------
| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |
-------------------------------------------------------------------------

Re: PDP/PEP Identity Sharing Not In Sync?

PhoneBoy — Tue, 23 Apr 2019 02:18:10 GMT

That's definitely TAC case territory.
Version/JHF level?

Re: PDP/PEP Identity Sharing Not In Sync?

Daniel_Taney — Tue, 23 Apr 2019 12:35:32 GMT

Both PDP and PEP are R80.20, Take 47

Re: PDP/PEP Identity Sharing Not In Sync?

Nik_Bloemers — Mon, 19 Aug 2019 14:23:41 GMT

Did you find a solution for this?

Re: PDP/PEP Identity Sharing Not In Sync?

Ryan_Ryan — Tue, 17 Sep 2019 06:23:26 GMT

We had a similar issue. It was due to two separate clusters both doing ADquery and both clusters also set to share identities with each other. Caused random users to get dropped off every now and then.

Re: PDP/PEP Identity Sharing Not In Sync?

Nenad_D — Fri, 24 Apr 2020 10:45:34 GMT

@Ryan_Ryan How did you solve the issue with doing AD query on multiple clusters and sharing with each other?

Or rather is it not the correct configuration from design point of view?

We are facing a similar issue....

Thanks for your feedback!

Best Regards

Nenad

Re: PDP/PEP Identity Sharing Not In Sync?

Ryan_Ryan — Mon, 27 Apr 2020 22:01:30 GMT

You must choose either one of these methods (and not mix them)

1) One gateway does AD Query and set to share to all other gateways (no ADquery on the other gateways)

2) all gateways do ADquery and all sharing is disabled

We went with option 1. Then we still had an issue where one or two users only (and always same users) would be present in PDP but not pep at random times, So issue was not completely fixed, we then installed take 141 (r80.20) which has some fixes for PEP out of sync and so far. issue has not returned so far..

Re: PDP/PEP Identity Sharing Not In Sync?

Nenad_D — Tue, 28 Apr 2020 07:51:36 GMT

@Ryan_Ryan Thanks very much for your feedback! I will give it a try...

Re: PDP/PEP Identity Sharing Not In Sync?

LaRockas — Mon, 04 May 2020 20:14:55 GMT

@Nenad_D Also we have a setup with separate PDP gateways (2 x PDP -With Cluster Setup ) for ADQ and another set (2 xPDP With Cluster Setup) for the IDC .

We have mixed environment of older Win2003 servers and we wanted to separate the WMI process with the IDC . We do identity sharing with the VS we have , using the cluster ips of the PDPs (one cluster ip for ADQ & one cluster ip for IDC ) .

It seems to work good , except some problems with users that do not shut down the PCs , so we don't have log in/out security logs .Also we have noticed some times that the PDPs know a user , but the PEP not . Usually with pdp control sync it works .

Best Regards

Prodromos