This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
konecnyl
Participant
‎2026-01-27 04:15 AM

R82 – Identity Awareness: Missing PEP network registration (/28 not registered), identities not tran

 

Hi everyone,
I’m dealing with a persistent Identity Awareness issue on R82 (JHF60). I would appreciate help verifying whether this is a configuration issue, cache issue, or a known IA bug.

Problem description

For several users located in specific /28 networks, PDP correctly detects both machine and user identity, but PEP does not register the corresponding network segment, and therefore the identity is never pushed to the PEP.

Symptoms:

  • PDP sees user + machine, roles, AD groups.

  • PDP shows that the /28 subnet is registered on 2 gateways.

  • PEP does NOT show this /28 in pep show network registration.

  • As a result, traffic from these users triggers Captive Portal redirects, even though the Identity Agent is installed and AD identities are valid.

  • This happens only on some subnets (e.g., 10.xx.xx.14/28), while others (e.g., 10.xx.xx.16/28) work correctly.

This already affected several users across different subnets (10.xx.xx.13, 10.xx.x.103, 10.xx.xx.67).

What I already did

✔ Restarted pepd (fw kill pepd)

→ No change; PEP still does not show the /28 subnet.

✔ Increased PDP caches (kbuf, ldap_cache, sessions_cache)

→ PDP load resolved, cache no longer full.

✔ Upgraded to R82 JHF Take 60

→ Issue persists.

✔ Enabled debug on both PDP and PEP

→ No new entries in pepd.elg related to this network range.

✔ Verified with Identity Agent installed on endpoint

→ Identity still not propagated to PEP.

✔ Verified traffic logs

→ PEP falls back to Captive Portal (“Redirect to CaptivePortal”), showing identity was not mapped.

✔ SmartConsole Diagnostics

 

 
Identity Awareness – Sharing mechanism error inx invalid type (0)

 

Checked sk63264, but symptoms do not fully match.

CLI diagnostics (shortened)

On PDP:

pdp network info → PDP knows the /28
pdp network registered → PDP thinks the PEP is registered
pdp monitor ip X.Y.Z.14 → user + machine identity present, published to the correct gateway

On PEP:

pep show network registration → no entry for the /28 subnet
→ This is the core issue.

Possible related issues

  • Possible incorrect identity-sharing registry state (PDP believes PEP registered, PEP does not)

  • Identity Cache Mode in R82 holding PEP in a “no identity for this subnet” cached state

  • Rare identity sharing bug similar to sk134054

  • Misalignment of registration paging (registered_users_page_size, though not modified)

  • PEP cutting the identity because the network is not mapped

Questions for the community

  1. Has anyone seen a situation where PDP shows a registered subnet, but PEP never lists it?

  2. Could Identity Cache Mode in R82 preserve a “broken” or empty network registration state?

  3. How do you properly force a full rebuild of PEP network registrations, beyond pep cache clear and pdp control full_update?

  4. Is the "inx invalid type (0)" error in diagnostics a sign of an underlying identity sharing issue?

  5. Is this consistent with any known IA bugs affecting PDP→PEP propagation in R82/JHF?

  6. Any recommended debug flags for pepd/pdpd specifically targeting network registration failures?

Happy to share more logs (pepd.elg, pdpd.elg, SmartConsole logs) if needed.

Thanks in advance for any hints or experience!

Preview file
104 KB
Preview file
80 KB
Preview file
193 KB
Preview file
15 KB
Preview file
52 KB
Preview file
108 KB
Preview file
187 KB
Preview file
157 KB
0 Kudos
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 04:19 AM

Have you tried restarting pepd?

https://support.checkpoint.com/results/sk/sk97638

Apologies, just saw in your post that you did...you dont see anything related to this in the debug? Mind attaching it here?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
konecnyl
Participant
‎2026-01-27 04:23 AM
In response to the_rock

Yes, I tried restarting pepd, see topic.

the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 04:40 AM
In response to konecnyl

Right, my apologies...are you able to upload the debug and provide affected IP/subnet? I would be happy to review it offline.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 04:41 AM
In response to konecnyl

By the way, what does below show?

pep show network registration

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-01-27 05:36 AM

 

I'm sitting in the waiting room at the doctor's and haven't read everything, but I always do this for debugging.

before:

 

fw debug fwd off PDP_LOG_SIZE=50000000
fw debug fwd off PDP_NUM_LOGS=20
fw debug fwd off PEP_LOG_SIZE=50000000
fw debug fwd off PEP_NUM_LOGS=20

fw kill pdpd
fw kill pepd


after


fw debug fwd off PDP_LOG_SIZE=10000000
fw debug fwd off PDP_NUM_LOGS=10
fw debug fwd off PEP_LOG_SIZE=10000000
fw debug fwd off PEP_NUM_LOGS=10

fw kill pdpd
fw kill pepd
and now to something completely different -

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-01-27 06:01 AM
In response to Vincent_Bacher

Sorry, this was only the part to set log size and number of rotations. Will have to search for the debug commands

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 06:08 AM
In response to Vincent_Bacher

There is link for pep debug in below link.

https://support.checkpoint.com/results/sk/sk97638

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-01-27 06:45 AM
In response to the_rock

Ah, thank you! I would also adjust the rotation and loh size as I mentioned above, because otherwise, depending on the scenario, the essential information can quickly be overwritten.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 06:46 AM
In response to Vincent_Bacher

Totally. Personally though, I always like to verify those things with TAC, though Im extra careful when it comes to kernel debugs.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-01-27 07:09 AM
In response to the_rock

I totally understand, it's so important to be super careful when debugging, and I really recommend getting in touch with TAC if you don't have CP staff available all the time.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-27 07:23 AM
In response to Vincent_Bacher

100% safest thing to do. Please get well mate.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-01-28 02:29 AM
In response to the_rock

As I did pdpd/pepd debug many times b4 I would just do it. 😉

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Diamond
MVP Diamond
‎2026-02-02 07:35 PM

Hey @konecnyl 

Any luck with this?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events