Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shawn_Fletcher
Contributor

1550 identity sharing and drops from failed identity lookups?

I've deployed 2 1550 appliances so far with permanent vpn tunnels to 21800. Both have required rules to bypass app control to get working due to errors like this on fw ctl zedebug drop

Example - this drops

@;745809;26Nov2019 20:32:25.035701;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 172.18.50.12:64344 -> Pxxx.xxx.xxx.xxx:53 dropped by fwhold_expires Reason: held chain expired;

 

Even with bypass rules for App control i constantly get identity fetch failed which appears to drop some traffic - even though SmartLog doesnt reflect.... (i'm having VOIP issues, this example below is a VOIP phone/VOIP server communication)

@;10284017;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_1];[fw4_1];[IPPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;
@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;

 

The idea would be the 21800 central gateway uses Identity Collector Server with ISE to get identities and then share them to remote site gateways (R80.20 embedded doesn't support identity collector - that would have been nice)

 

on 21800 (running R80.20 jumbo 103 

pdp connections pep shows

| Outgoing | IPXXX.XXXX | 15105 | STJ-BrantfordKC | Single Gateway | Disconnected | Remote | No |

 

on 1550 - some network info has come over - so it must have connected at some point

pep show network pdp
Trying to run main_pep
--------------------------------------------------------
| Network | Mask | Related PDPs |
--------------------------------------------------------
| 172.28.138.0 | 255.255.255.0 | <21800IP,0>; |
--------------------------------------------------------

(and many more network lines)

 

pep show network registration
Trying to run main_pep
------------------
| Network | Mask |
------------------

nothing

 

pep sh user all
Trying to run main_pep
Command: root->show->user->all
ID (PDP; UID) Username@Machine CID (IP, PacketID) PT
=============================================================================================================

nothing

 

 

So far nothing but issues with 1550's compared to 1450's... a bit dissapointed.... 

Anyways open to any ideas since SMB appliance issues never seem to be a priority for TAC... thx

 

 

 

 

 

0 Kudos
5 Replies
Greg_Harbers
Collaborator

Hi Shawn,

Did you get a resolution to this issue?  We seem to be having a very similar problem with some 1550s not learning IDs from a sharing gateway. 

Thanks

Greg

0 Kudos
Shawn_Fletcher
Contributor

we spent some time with TAC on this , but they weren't able to replicate in the LAB.

we decided to deploy a 3100 appliance with full Gaia and compatible with identity collector then to keep working on this. Sounds like it wasn't isolated to our environment though - we had 1450's with the identical configuration that worked fine, but the 1550  model just seemed to be problematic as soon as we deployed it.

0 Kudos
Greg_Harbers
Collaborator

Thanks for the reply,

the customer has purchased about 10 of these appliances, so replacing with 3100s is not an option. And yes, they have about 30+ 1450/1490s working just fine with the same configuration

0 Kudos
HristoGrigorov

I know this is supposed to happen automatically but what about if you add both gateways' external IPs to VPN encryption domain ?

0 Kudos
Greg_Harbers
Collaborator

FYI, after some time working with Check Point R&D, they eventually managed to replicate the issue within their environment. From that, we have received build 477 of R80.20.10 for the 1500s and this has resolved the Identity Sharing issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events