Identity Sharing with MDPS enabled + Maestro

bibinpaul · ‎2022-05-30

Hi All,

Good day!!

In one of my recent deployment, I have enabled MDPS on Maestro SG, which is running on R80.30SP, JHF take 97.

Identity sharing stopped working after enabling the MDPS. Maestro SG is PEP.

From the PDP and PEP logs, the connection initiated to mplane is getting disconnected.

Any one has has observed this kind of behavior with Maestro when MDPS enabled??

Thanks and Regards

Bibin

G_W_Albrecht · ‎2022-05-30

sk138672 Management Data Plane Separation: Do not configure non-Management operations on the Management plane network. Examples of non-Management operations: DNS, Proxy, DHCP, and Software Blade portals.

I would assume that IA Identity Sharing is a non-Management operation...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

bibinpaul · ‎2022-05-30

Thanks Albrecht,

I could see the dplane and mplane interfaces of Maestro SG from the PDP gateway. Somehow it does automatically.

The maestro SG will be identified at management server through the mplane interface and hence when we configure identity sharing, while selecting the gateway it list the Firewall/SG object identified using the mplane interface IP.

Is there anyway we could configure the identity sharing connecting to dplane and not tp mplane?. One way I could think about is by adding the SG to management server by using the dplane interface, which defeats the purpose of MDPS.

[Expert@gw0011:0]# pdp connections pep

----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------

Bibin

Christian_Koehl · ‎2022-05-30

Dear Bibin,

try to change the "ia_control_connections_ip" via GuiDBedit of your firewall module.

Hth and best regards,

Christian

bibinpaul · ‎2022-06-01

Thanks Christian,

I will try and update you soon 🙂

Peter_Elmer · ‎2022-06-21

Hello @binu ,

there is sk175587 documenting guidelines for how to integrate Maestro in an ID Sharing environment. This sk was created in close collaboration with IDA R&D and Maestro R&D. You can find it linked from Maestro Admin guide here.

The introduction of this sk explains packet processing of inbound connections that may help even for this scenario.

best regards

pelmer

bibinpaul · ‎2022-06-21

Thanks Peter,

I have managed to resolve the issue by creating an MDPS task for 15105 and 28581. :). Its now working