- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: IA with Identity Collector issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IA with Identity Collector issues
Hi,
We are deploying two new gateways and Mgmt servers running R80.20 and the policy is heavily reliant on IA.
We have two Identity Collectors (80.87.0000 - recently upgraded from 80.85.0000) running on Windows 2016 servers.
We have about 15 users behind the gateways testing the policy and are running into problems where users randomly stop being authenticated and therefore the policy drops the connection. To get them working again we run the ‘pdp control revoke_ip’ command.
In addition to the above, we have another user who has all the required access and being accepted by the policy and then starts getting dropped the by the policy. I have found an event in the logs that immediately precedes the dropped connections, which is: Authentication Status: Access Roles updated
As with the other issue, running pdp control revoke_ip gets them working again.
Have any of you come across these issues before? And, if so, what was the fix?
We will be putting 1500+ users behind these gateways, so you can imagine the potential problems we'll face if these issues are not fixed.
I am in contact with CP TAC and have uploaded multiple pdp and pep debugs, but still don't have a fix and I wanted to see if anyone else had some advice.
Many thanks
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please send me the TAC SR in a PM. Also tagging @Royi_Priov.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the User Logging into Multiple Machines?
Do you have the Automatically exclude user which are logged into more than
xx machines simultaneously
enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your response.
It depends on the user. Some users may be logged into multiple machines (some IT staff) and others not, however, we don't have AD Query enabled, so that option is not enabled.
I have added certain accounts to the exclusion list on the Identity Collectors though.
Kind regards
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Any update here?
I have a similar case with a customer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was there any response to this as we are having the exact same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you contact TAC for this? I did it almost a 1.5 months ago, changed 3 engineers, few escalations and the only things we did was to ignore machine identities and advice to upgrade the collector and install the latest hotfix. It works at the moment and no one can tell us what happened.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin,
Sorry for not replying sooner.
Since this post we have made a number of changes:
We have upgraded to R80.40 on our gateways and Mgmt platform.
We have upgraded the Identity Collector software to 80.119.0000.
However, the changes we made where we saw the most positive impact to our issues were:
The filters in the Indentity Collector software:
Network Filter: Included all of our user IP ranges
Identity Filter: Excluded all of our service accounts and domain admin accounts (accounts where users are likely to be connected to more than one machine).
Domain Filter: Excluded a short name/alias of our real domain as the collectors were seeing duplicate entries and immediately logged users out.
Two changes we made to the gateways:
pdp nested_groups __set_state 2
pdp update update_rate set 500
These were the best changes for us in our environment, and these may differ for you so I would take TACs advice on this, but these certainly helped us.
I wish you the best of luck.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Alex,
I'll keep in mind your answers. In my case the problem is sporadic and I can't trace where it comes from GW site, IDC site or AD site. My deployment is a flat one - 2 clusters of 2 members, 2 IDCs and 4 AD servers, no filters applied. At some point the user is not recognized in pdp but has a correct binding in IDCs and users get dropped, at some other point is the opposite - missing user binding in IDCs but correct info in pdp and users get accepted.