Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Collaborator
Collaborator

PEP not enforcing all roles

 

hi,

 

We are currently experiencing issues with Identity Awareness. PEP gateways arent enforcing access roles for all users. This seems to be affecting various amounts of users, and a workaround has been to restart the pep daemon, which is not a proper fix.

 

The setup is pretty standard, with 3 pdp gateways feeding identities to some pep gateways. This has been working quite well, but last week, we noticed an increase in users losing access to resourcec, where the rules are based on access roles. 

Identity source is identity collector, and service accounts are excluded. Identity collectors appear to be working fine, and i see plenty of events being registered, same with users and machines.

Not sure if there are problems with cache, time to live or other of the settings? What would be the potential risk of changing any of these values, and if so, are there any recommendation on what to set?

 

We are running r81.10, t66

 

0 Kudos
6 Replies
Vincent_Bacher
Advisor
Advisor

Hi,

did you check for problematic users if the session is visible at the pep using pep s u q usr <loginname> ?
If yes, are the roles listed? If not, do you see any role calculation issues maybe with AD controllers?

br

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
KM1895
Collaborator
Collaborator

hi,

I havent checked, but i think someone else checked this earlier. We are suspecting full pdp and pep kernel tables, as the gateways are still on the default 30.000. The main pdp currently has 42k identified users and machines. so we will probably try to expand these, and clear the tables.

0 Kudos
Vincent_Bacher
Advisor
Advisor

Yes, i would then as well recommend extending the tables, we have this issue as well whenever we forget to set the table sizes accordingly when deploying new devices using ia.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

Just in case what i am usually setting:

Ia_max_authenticated_users

200000

Ia_max_enforced_identities

200000

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
Legend
Legend

I attached debug TAC gave me while ago for pdp/pep debugs, so might be worth doing those (well, just pep in your case)

Andy

 

0 Kudos
Vincent_Bacher
Advisor
Advisor

In addition because of possible very high amount of logs, i increase log size and number of rotated elg before starting debug and resetting same afterwards

before:

 

fw debug fwd off PDP_LOG_SIZE=50000000
fw debug fwd off PDP_NUM_LOGS=20
fw debug fwd off PEP_LOG_SIZE=50000000
fw debug fwd off PEP_NUM_LOGS=20

fw kill pdpd
fw kill pepd


after


fw debug fwd off PDP_LOG_SIZE=10000000
fw debug fwd off PDP_NUM_LOGS=10
fw debug fwd off PEP_LOG_SIZE=10000000
fw debug fwd off PEP_NUM_LOGS=10

fw kill pdpd
fw kill pepd
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events