Solved: Re: Identity Awareness randomly loosing identitys

lesmona

Hello everyone, I use Identity Awareness on all our gateways. We get the identities from the Identity Collector, which I installed on each domain controller. Most locations have only one DC. The problem I'm having is at the main site. I have three domain controllers with three Identity Collectors there. It's working quite well so far, but unfortunately, sometimes individual users lose their identity. From one second to the next. I then see in the log that only the IP address is displayed and no longer the username! I've attached a screenshot of the log. In this example, the user "Emanuel" suddenly loses his "identity." This is, of course, extremely unfortunate, since our rules are based entirely on Identity Awareness. I checked in the CLI whether the gateway still recognizes the user and has the correct IP assignment. Result: Yes, everything is still there. The IP address matches the username. Nevertheless, as you can see, he falls into a drop rule. I suspect it's a timeout issue. Perhaps an idle timeout? I just can't find a way to increase the timeout. Or am I on the wrong track and do you have another solution? Thank you very much for your help.

lesmona

sorry : pdp control sync

View solution in original post

PhoneBoy

Without knowing more about your environment, which includes:

Version/JHF of gateways and management
Version of Identity Collector
The relationship between Identity Collector, Active Directory, and Gateways

It's hard to know where to start on this.
The actual log in/out events, which are shown in the screenshot provided, should be reviewed to see if they provide any clues.
You will need to see the full log card.

the_rock

This is the IA debug TAC gave me while back, so you can definitely run it and see if it helps. I do agree with Phoneboy that we need full log details, just blour out any sentisive data.

Andy

debugs:

# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*

lesmona

Hello everyone,
I've learned something new: the "pdp control sync" command fixes my problem, and it works again immediately. Now, of course, the question is why the database isn't replicating properly in the cluster system with R81.20 Take 113. Are there any settings or something similar?

the_rock

Just tried it on both R81.20 and R82. but get below...

Andy

[Expert@CP-FW-01:0]# pep control sync
Command: root->control
Unknown option: sync

Available options:
portal_dual_stack - portal dual stack (IPv4 and IPv6) support
extended_info_storage - should the PEP store extended identities info for debugging or not
tasks_manager - the task manager menu
kbuf_cache - Kbuf cache configuration
gbuf_cache - Gbuf cache configuration
identity_cache_mode - Identity Cache mode configuration

[Expert@CP-FW-01:0]#

lesmona

sorry : pdp control sync

the_rock

Thats better : - )

[Expert@CP-FW-01:0]# pdp control sync
a sync message will be sent to relevant gateways
[Expert@CP-FW-01:0]#

lesmona

I have to manually initiate the sync every now and then. Is there a way to check why this is happening? I can't do this manual sync multiple times a day when it should happen automatically.

the_rock

How often though?

Andy

lesmona

today like 10 times.

the_rock

That is not normal, for sure. I would open TAC case to investigate.

PhoneBoy

Running the command periodically via cron might be a good idea in the short term while you investigate the issue with TAC,

Are you a member of CheckMates?

Identity Awareness randomly loosing identitys