cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!

I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?

From the PDP Gateway:
pep show pdp all
Command: root->show->pdp->all
-----------------------------------------------------------------------
| Direction | IP | ID | Status | Users | Connect time |
-----------------------------------------------------------------------
| Incoming | 127.0.0.1 | 0 | Connected | 460 | 21Feb2019 6:16:33 |
-----------------------------------------------------------------------

From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:
pep show pdp all
Command: root->show->pdp->all
-------------------------------------------------------------------------
| Direction | IP | ID | Status | Users | Connect time |
-------------------------------------------------------------------------
| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |
-------------------------------------------------------------------------
| Incoming | 127.0.0.1 | 0 | Connected | 0 | 8Apr2019 5:16:48 |
-------------------------------------------------------------------------
| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |
-------------------------------------------------------------------------

0 Kudos
4 Replies
Admin
Admin

Re: PDP/PEP Identity Sharing Not In Sync?

That's definitely TAC case territory.
Version/JHF level?
0 Kudos

Re: PDP/PEP Identity Sharing Not In Sync?

Both PDP and PEP are R80.20, Take 47

0 Kudos

Re: PDP/PEP Identity Sharing Not In Sync?

Did you find a solution for this?
0 Kudos
Ryan_Ryan
Copper

Re: PDP/PEP Identity Sharing Not In Sync?

We had a similar issue. It was due to two separate clusters both doing ADquery and both clusters also set to share identities with each other. Caused random users to get dropped off every now and then.

 

 

0 Kudos