This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Shawn_Fletcher
Contributor
‎2020-01-17 03:42 PM

1550 identity sharing and drops from failed identity lookups?

I've deployed 2 1550 appliances so far with permanent vpn tunnels to 21800. Both have required rules to bypass app control to get working due to errors like this on fw ctl zedebug drop

Example - this drops

@;745809;26Nov2019 20:32:25.035701;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 172.18.50.12:64344 -> Pxxx.xxx.xxx.xxx:53 dropped by fwhold_expires Reason: held chain expired;

 

Even with bypass rules for App control i constantly get identity fetch failed which appears to drop some traffic - even though SmartLog doesnt reflect.... (i'm having VOIP issues, this example below is a VOIP phone/VOIP server communication)

@;10284017;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;

 

The idea would be the 21800 central gateway uses Identity Collector Server with ISE to get identities and then share them to remote site gateways (R80.20 embedded doesn't support identity collector - that would have been nice)

 

on 21800 (running R80.20 jumbo 103 

pdp connections pep shows

| Outgoing | IPXXX.XXXX | 15105 | STJ-BrantfordKC | Single Gateway | Disconnected | Remote | No |

 

on 1550 - some network info has come over - so it must have connected at some point

pep show network pdp
Trying to run main_pep
--------------------------------------------------------
| Network | Mask | Related PDPs |
--------------------------------------------------------
| 172.28.138.0 | 255.255.255.0 | <21800IP,0>; |
--------------------------------------------------------

(and many more network lines)

 

pep show network registration
Trying to run main_pep
------------------
| Network | Mask |
------------------

nothing

 

pep sh user all
Trying to run main_pep
Command: root->show->user->all
ID (PDP; UID) Username@Machine CID (IP, PacketID) PT
=============================================================================================================

nothing

 

 

So far nothing but issues with 1550's compared to 1450's... a bit dissapointed.... 

Anyways open to any ideas since SMB appliance issues never seem to be a priority for TAC... thx

 

 

 

 

 

0 Kudos
Reply
5 Replies
Greg_Harbers
Participant
‎2020-06-29 05:14 PM

Hi Shawn,

Did you get a resolution to this issue?  We seem to be having a very similar problem with some 1550s not learning IDs from a sharing gateway. 

Thanks

Greg

0 Kudos
Reply
Shawn_Fletcher
Contributor
‎2020-06-29 08:09 PM
In response to Greg_Harbers

we spent some time with TAC on this , but they weren't able to replicate in the LAB.

we decided to deploy a 3100 appliance with full Gaia and compatible with identity collector then to keep working on this. Sounds like it wasn't isolated to our environment though - we had 1450's with the identical configuration that worked fine, but the 1550  model just seemed to be problematic as soon as we deployed it.

0 Kudos
Reply
Greg_Harbers
Participant
‎2020-06-29 08:14 PM
In response to Shawn_Fletcher

Thanks for the reply,

the customer has purchased about 10 of these appliances, so replacing with 3100s is not an option. And yes, they have about 30+ 1450/1490s working just fine with the same configuration

0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2020-06-29 08:34 PM
In response to Greg_Harbers

I know this is supposed to happen automatically but what about if you add both gateways' external IPs to VPN encryption domain ?

0 Kudos
Reply
Greg_Harbers
Participant
‎2020-09-07 03:40 AM
In response to Shawn_Fletcher

FYI, after some time working with Check Point R&D, they eventually managed to replicate the issue within their environment. From that, we have received build 477 of R80.20.10 for the 1500s and this has resolved the Identity Sharing issue.

0 Kudos
Reply