Solved: Re: IDC events not coming on Firewall

ajsingh · ‎2025-02-20

Hi All,

I recently installed IDC on a separate Window server and configured it as per the Guide.

I have connected to 6 of my DC's and its receiving events fine. Then i connected one Firewall which is in the same virtual Network and it is receiving all the events and i see users and Machine identities in my firewall.

FW (identity source)----->Identity collector

Now I have added another firewall and it is connected and IDC shows connected and Events are being sent . On firewall, I dont see any user/Machine identities getting updated .

Firewall (Identity source)----->VPN site to site----->Identity collector

Is there something else I have to do for Events to go over VPN tunnel to my Firewalls that is trying to get identities from IDC ? Because if its is not over VPN tunnel , its working fine.

Both Firewalls are R81.20 and have same configuration and IDC shows both connected and events are being sent and I do see numbers increase in IDC.

the_rock · ‎2025-02-20

That 100% looks right to me. I would open TAC case about it to see what they say.

Andy

Best,
Andy

View solution in original post

the_rock · ‎2025-02-20

Maybe a silly question, but did you make sure windows fw is off on that machine?

Andy

Best,
Andy

ajsingh · ‎2025-02-20

Hi,

Yes it is off, since one firewall is working fine.

the_rock · ‎2025-02-20

K, I see what you meant in your post. So, the one that fails, the difference is it goes over vpn tunnel. Can you do capture and make sire IC ip is not getting dropped? Run fw monitor and then in other ssh window run zdebug

So say IC ip is 10.10.10.10, do something like this:

ssh 1 -> fw monitor -e "accept host(10.10.10.10);"

ssh 2 -> fw ctl zdebug + drop | grep 10.10.10.10

Best,
Andy

ajsingh · ‎2025-02-20

Hi,

I just confirmed that traffic indeed is coming at port 443 and there is no drop in the traffic. I do see vpn logs too and nothing looks out of place. All connectivity looks fine 😞

the_rock · ‎2025-02-20

I would try restart IC machine to see if it makes any difference. Maybe also run pdp update all on the problematic gateway.

Andy

Best,
Andy

ajsingh · ‎2025-02-20

output from my problematic firewall :

the_rock · ‎2025-02-20

That 100% looks right to me. I would open TAC case about it to see what they say.

Andy

Best,
Andy

the_rock · ‎2025-02-20

One thing I would do is maybe try do IA debugs on the fw and see what gives.

commands are pep debug on and pdp debug on (off to turn off). Once done, check $FWDIR/dir log for pep and pdp log files.

Hope that helps.

Andy

Best,
Andy

ajsingh · ‎2025-02-21

Thank you all for your replies. am heading for my vacation for next week. I will open tac case now once am back 🙂

the_rock · ‎2025-02-21

Have a nice vacation!

Andy

Best,
Andy

Are you a member of CheckMates?

IDC events not coming on Firewall