Solved: Specific users identities present in PDP but not t...

EricRobert · ‎2024-09-13

Hi,

I have a R81.10 Clustered gateway with JHF Take 110 and Identity Awareness blade activated.

Both PDP and PEP are running on that gateway.

Identities are provided to PDP by one Identity Collector server, many Identity Agents MUH for Terminal Server v2 and many Identity Agents for Endpoints.

We have an issue for some Windows endpoints with Identity agent for Endpoint intalled on it. The logged on user's identity is transmitted to PDP, but not to PEP.

If I replace the endpoint agent by the MUH agent, it solved the issue immediately.

I enabled the Identity Session Conciliation, but it doesn't solved the issue.

Any idea of what could cause this issue ?

How can I verified why some specific identities are not tranfered to PEP ?

Thanks

EricRobert · ‎2024-10-24

We finally fix the problem.

The PEP and PDP deamon were slowed down by a high level of events from Identity Collector and it seems that it corrupted the PDP and PEP kernel tables. We fixed the issue by clearing those tables.

Ref: https://support.checkpoint.com/results/sk/sk182270

It's not exactly our issue but the command to clear the tables is from this SK.

View solution in original post

PhoneBoy · ‎2024-09-16

What OS levels are experiencing the issue?
Curious how you are verifying all of this, specifically that PDP has it, but PEP does not.
Possible TAC will need to be involved here.

the_rock · ‎2024-09-16

Does running pdp update all command help?

Andy

Best,
Andy

AkosBakos · ‎2024-09-16

Hi @EricRobert

What does #pep show user all say? (on pdp and pep)?

Akos

----------------
\m/_(>_<)_\m/

Tobias_Moritz · ‎2024-09-16

I saw issues like that in the past with Identity Sharing (relevant PEP on different gateway than PDP) but not with the PEP locally on the same box like PDP. These issues were within Identity Sharing SmartPull mechanism and could be circumvented by switching to Push for that gateways, but the PEP on the box locally running PDP is always using Push, so that does not apply here.

See "pdp c p -e" and look at the Publish column.

Regarding debugging: While TAC really might be required here, you can switch on debug on pdpd and pepd and search for your missing user in the logs (see IA Admin guide for debug instructions).

Regarding the implicit question of Dameon "Curious how you are verifying all of this, specifically that PDP has it, but PEP does not": I guess you compared the output of "pdp monitor ip 10.0.0.1" and "pep s u q cid 10.0.0.1" on your active gateway cluster node, right? (while 10.0.0.1 is the ip address of the client which IA session is missing in PEP)

EricRobert · ‎2024-10-24

We finally fix the problem.

The PEP and PDP deamon were slowed down by a high level of events from Identity Collector and it seems that it corrupted the PDP and PEP kernel tables. We fixed the issue by clearing those tables.

Ref: https://support.checkpoint.com/results/sk/sk182270

It's not exactly our issue but the command to clear the tables is from this SK.

Are you a member of CheckMates?

Specific users identities present in PDP but not transfered to PEP