Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bibinpaul
Participant

Identity Sharing with MDPS enabled + Maestro

Hi All,

Good day!!

In one of my recent deployment, I have enabled MDPS on Maestro SG, which is running on R80.30SP, JHF take 97.

Identity sharing stopped working after enabling the MDPS. Maestro SG is PEP.

From the PDP and PEP logs, the connection initiated to mplane is getting disconnected.

Any one has has observed this kind of behavior with Maestro when MDPS enabled??

 

Thanks and Regards

Bibin

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend

sk138672 Management Data Plane Separation: Do not configure non-Management operations on the Management plane network. Examples of non-Management operations: DNS, Proxy, DHCP, and Software Blade portals.

I would assume that IA Identity Sharing is a non-Management operation...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
bibinpaul
Participant

Thanks Albrecht,

I could see the dplane and mplane interfaces of Maestro SG from the PDP gateway. Somehow it does automatically.

The maestro SG will be identified at management server through the mplane interface and hence when we configure identity sharing, while selecting the gateway it list the Firewall/SG object identified using the mplane interface IP.

 

Is there anyway we could configure the identity sharing connecting to dplane and not tp mplane?. One way I could think about is by adding the SG to management server by using the dplane interface, which defeats the purpose of MDPS.

 

[Expert@gw0011:0]# pdp connections pep

----------------------------------------------------------------------------------------------------------------

| Direction | IP | Port | Name | Type | Status | Location | IPv6 Supported |

----------------------------------------------------------------------------------------------------------------

| Incoming | 10.x.x.x | 28581 | sgfw001 | Single Gateway | Connected | Remote | No | -> Dplane interface (SG)

----------------------------------------------------------------------------------------------------------------

| Outgoing | 10.y.y.y | 15105 | sgfw001 | Single Gateway | Disconnected | Remote | Yes | ->Mplane interface(SG)

----------------------------------------------------------------------------------------------------------------

| Outgoing | 127.0.0.1 | 15105 | sgfwclu0001 | Cluster | Connected | Locally | No |

----------------------------------------------------------------------------------------------------------------

| Outgoing | 10.x.x.y | 15105 | sgfw001 | Single Gateway | Connected | Remote | No | ->dplane(SG)

----------------------------------------------------------------------------------------------------------------

 

Bibin 

0 Kudos
Christian_Koehl
Collaborator
Collaborator

Dear Bibin,


try to change the "ia_control_connections_ip" via GuiDBedit of your firewall module.

 

change_of_ia-control-connections-ip.png

 

Hth and best regards,

Christian

0 Kudos
bibinpaul
Participant

Thanks Christian,

I will try and update you soon 🙂

0 Kudos
Peter_Elmer
Employee
Employee

Hello @binu ,

there is sk175587 documenting guidelines for how to integrate Maestro in an ID Sharing environment. This sk was created in close collaboration with IDA R&D and Maestro R&D. You can find it linked from Maestro Admin guide here.

The introduction of this sk explains packet processing of inbound connections that may help even for this scenario.

best regards

pelmer

0 Kudos
bibinpaul
Participant

Thanks Peter,

I have managed to resolve the issue by creating an MDPS task for 15105 and 28581. :). Its now working