cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

1550 identity sharing and drops from failed identity lookups?

I've deployed 2 1550 appliances so far with permanent vpn tunnels to 21800. Both have required rules to bypass app control to get working due to errors like this on fw ctl zedebug drop

Example - this drops

@;745809;26Nov2019 20:32:25.035701;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 172.18.50.12:64344 -> Pxxx.xxx.xxx.xxx:53 dropped by fwhold_expires Reason: held chain expired;

 

Even with bypass rules for App control i constantly get identity fetch failed which appears to drop some traffic - even though SmartLog doesnt reflect.... (i'm having VOIP issues, this example below is a VOIP phone/VOIP server communication)

@;10284017;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;

 

The idea would be the 21800 central gateway uses Identity Collector Server with ISE to get identities and then share them to remote site gateways (R80.20 embedded doesn't support identity collector - that would have been nice)

 

on 21800 (running R80.20 jumbo 103 

pdp connections pep shows

| Outgoing | IPXXX.XXXX | 15105 | STJ-BrantfordKC | Single Gateway | Disconnected | Remote | No |

 

on 1550 - some network info has come over - so it must have connected at some point

pep show network pdp
Trying to run main_pep
--------------------------------------------------------
| Network | Mask | Related PDPs |
--------------------------------------------------------
| 172.28.138.0 | 255.255.255.0 | <21800IP,0>; |
--------------------------------------------------------

(and many more network lines)

 

pep show network registration
Trying to run main_pep
------------------
| Network | Mask |
------------------

nothing

 

pep sh user all
Trying to run main_pep
Command: root->show->user->all
ID (PDP; UID) Username@Machine CID (IP, PacketID) PT
=============================================================================================================

nothing

 

 

So far nothing but issues with 1550's compared to 1450's... a bit dissapointed.... 

Anyways open to any ideas since SMB appliance issues never seem to be a priority for TAC... thx

 

 

 

 

 

0 Kudos