topic Re: 1550 identity sharing and drops from failed identity lookups? in Spark Firewall (SMB)

1550 identity sharing and drops from failed identity lookups?

Shawn_Fletcher — Fri, 17 Jan 2020 23:42:00 GMT

I've deployed 2 1550 appliances so far with permanent vpn tunnels to 21800. Both have required rules to bypass app control to get working due to errors like this on fw ctl zedebug drop

Example - this drops

@;745809;26Nov2019 20:32:25.035701;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 172.18.50.12:64344 -> Pxxx.xxx.xxx.xxx:53 dropped by fwhold_expires Reason: held chain expired;

Even with bypass rules for App control i constantly get identity fetch failed which appears to drop some traffic - even though SmartLog doesnt reflect.... (i'm having VOIP issues, this example below is a VOIP phone/VOIP server communication)

@;10284017;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;

The idea would be the 21800 central gateway uses Identity Collector Server with ISE to get identities and then share them to remote site gateways (R80.20 embedded doesn't support identity collector - that would have been nice)

on 21800 (running R80.20 jumbo 103

pdp connections pep shows

on 1550 - some network info has come over - so it must have connected at some point

pep show network pdp
Trying to run main_pep
--------------------------------------------------------
| Network | Mask | Related PDPs |
--------------------------------------------------------
| 172.28.138.0 | 255.255.255.0 | <21800IP,0>; |
--------------------------------------------------------

(and many more network lines)

pep show network registration
Trying to run main_pep
------------------
| Network | Mask |
------------------

nothing

pep sh user all
Trying to run main_pep
Command: root->show->user->all
ID (PDP; UID) Username@Machine CID (IP, PacketID) PT
=============================================================================================================

nothing

So far nothing but issues with 1550's compared to 1450's... a bit dissapointed....

Anyways open to any ideas since SMB appliance issues never seem to be a priority for TAC... thx

Re: 1550 identity sharing and drops from failed identity lookups?

Greg_Harbers — Tue, 30 Jun 2020 00:14:55 GMT

Hi Shawn,

Did you get a resolution to this issue? We seem to be having a very similar problem with some 1550s not learning IDs from a sharing gateway.

Thanks

Greg

Re: 1550 identity sharing and drops from failed identity lookups?

Shawn_Fletcher — Tue, 30 Jun 2020 03:09:22 GMT

we spent some time with TAC on this , but they weren't able to replicate in the LAB.

we decided to deploy a 3100 appliance with full Gaia and compatible with identity collector then to keep working on this. Sounds like it wasn't isolated to our environment though - we had 1450's with the identical configuration that worked fine, but the 1550 model just seemed to be problematic as soon as we deployed it.

Re: 1550 identity sharing and drops from failed identity lookups?

Greg_Harbers — Tue, 30 Jun 2020 03:14:53 GMT

Thanks for the reply,

the customer has purchased about 10 of these appliances, so replacing with 3100s is not an option. And yes, they have about 30+ 1450/1490s working just fine with the same configuration

Re: 1550 identity sharing and drops from failed identity lookups?

HristoGrigorov — Tue, 30 Jun 2020 03:34:23 GMT

I know this is supposed to happen automatically but what about if you add both gateways' external IPs to VPN encryption domain ?

Re: 1550 identity sharing and drops from failed identity lookups?

Greg_Harbers — Mon, 07 Sep 2020 10:40:23 GMT

FYI, after some time working with Check Point R&D, they eventually managed to replicate the issue within their environment. From that, we have received build 477 of R80.20.10 for the 1500s and this has resolved the Identity Sharing issue.