Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

IA with Identity Collector issues

Hi,

We are deploying two new gateways and Mgmt servers running R80.20 and the policy is heavily reliant on IA.

We have two Identity Collectors (80.87.0000 - recently upgraded from 80.85.0000) running on Windows 2016 servers.

We have about 15 users behind the gateways testing the policy and are running into problems where users randomly stop being authenticated and therefore the policy drops the connection.  To get them working again we run the ‘pdp control revoke_ip’ command.

In addition to the above, we have another user who has all the required access and being accepted by the policy and then starts getting dropped the by the policy.  I have found an event in the logs that immediately precedes the dropped connections, which is: Authentication Status:  Access Roles updated

As with the other issue, running pdp control revoke_ip gets them working again.

Have any of you come across these issues before?  And, if so, what was the fix?

We will be putting 1500+ users behind these gateways, so you can imagine the potential problems we'll face if these issues are not fixed.

I am in contact with CP TAC and have uploaded multiple pdp and pep debugs, but still don't have a fix and I wanted to see if anyone else had some advice.

Many thanks

Alex

 

0 Kudos
8 Replies
Highlighted
Admin
Admin

Please send me the TAC SR in a PM. Also tagging @Royi_Priov.

0 Kudos
Highlighted
Silver

Is the User Logging into Multiple Machines?

 

Do you have the Automatically exclude user which are logged into more than

xx machines simultaneously 

enabled.

0 Kudos
Highlighted

Hi,

Thanks for your response.

It depends on the user.  Some users may be logged into multiple machines (some IT staff) and others not, however, we don't have AD Query enabled, so that option is not enabled.

I have added certain accounts to the exclusion list on the Identity Collectors though.

Kind regards

Alex

 

0 Kudos
Highlighted

Hi,

 

Any update here?

 

I have a similar case with a customer.

0 Kudos
Highlighted

Was there any response to this as we are having the exact same issue.

0 Kudos
Highlighted

did you contact TAC for this? I did it almost a 1.5 months ago, changed 3 engineers, few escalations and the only things we did was to ignore machine identities and advice to upgrade the collector and install the latest hotfix. It works at the moment and no one can tell us what happened.

0 Kudos
Highlighted

Hi Martin,

Sorry for not replying sooner.

Since this post we have made a number of changes:

We have upgraded to R80.40 on our gateways and Mgmt platform.
We have upgraded the Identity Collector software to 80.119.0000.

However, the changes we made where we saw the most positive impact to our issues were:

The filters in the Indentity Collector software:

Network Filter: Included all of our user IP ranges
Identity Filter: Excluded all of our service accounts and domain admin accounts (accounts where users are likely to be connected to more than one machine).
Domain Filter: Excluded a short name/alias of our real domain as the collectors were seeing duplicate entries and immediately logged users out.

Two changes we made to the gateways:

pdp nested_groups __set_state 2
pdp update update_rate set 500

These were the best changes for us in our environment, and these may differ for you so I would take TACs advice on this, but these certainly helped us.

I wish you the best of luck.

0 Kudos
Highlighted

Hi Alex,

I'll keep in mind your answers. In my case the problem is sporadic and I can't trace where it comes from GW site, IDC site or AD site. My deployment is a flat one - 2 clusters of 2 members, 2 IDCs and 4 AD servers, no filters applied. At some point the user is not recognized in pdp but has a correct binding in IDCs and users get dropped, at some other point is the opposite - missing user binding in IDCs but correct info in pdp and users get accepted.  

0 Kudos