Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EricRobert
Participant
Jump to solution

Specific users identities present in PDP but not transfered to PEP

Hi,

I have a R81.10 Clustered gateway with JHF Take 110 and Identity Awareness blade activated.

Both PDP and PEP are running on that gateway.

Identities are provided to PDP by one Identity Collector server, many Identity Agents MUH for Terminal Server v2 and many Identity Agents for Endpoints.

We have an issue for some Windows endpoints with Identity agent for Endpoint intalled on it. The logged on user's identity is transmitted to PDP, but not to PEP.

If I replace the endpoint agent by the MUH agent, it solved the issue immediately.

I enabled the Identity Session Conciliation, but it doesn't solved the issue.

Any idea of what could cause this issue ?

How can I verified why some specific identities are not tranfered to PEP ?

Thanks

0 Kudos
1 Solution

Accepted Solutions
EricRobert
Participant

We finally fix the problem.

The PEP and PDP deamon were slowed down by a high level of events from Identity Collector and it seems that it corrupted the PDP and PEP kernel tables. We fixed the issue by clearing those tables.

Ref: https://support.checkpoint.com/results/sk/sk182270

It's not exactly our issue but the command to clear the tables is from this SK.

 

 

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

What OS levels are experiencing the issue?
Curious how you are verifying all of this, specifically that PDP has it, but PEP does not.
Possible TAC will need to be involved here.

0 Kudos
the_rock
Legend
Legend

Does running pdp update all command help?

Andy

0 Kudos
AkosBakos
Advisor
Advisor

Hi @EricRobert 

What does #pep show user all say? (on pdp and pep)?

Akos

----------------
\m/_(>_<)_\m/
Tobias_Moritz
Advisor

I saw issues like that in the past with Identity Sharing (relevant PEP on different gateway than PDP) but not with the PEP locally on the same box like PDP. These issues were within Identity Sharing SmartPull mechanism and could be circumvented by switching to Push for that gateways, but the PEP on the box locally running PDP is always using Push, so that does not apply here.

See "pdp c p -e" and look at the Publish column.

Regarding debugging: While TAC really might be required here, you can switch on debug on pdpd and pepd and search for your missing user in the logs (see IA Admin guide for debug instructions).

Regarding the implicit question of Dameon "Curious how you are verifying all of this, specifically that PDP has it, but PEP does not": I guess you compared the output of "pdp monitor ip 10.0.0.1" and "pep s u q cid 10.0.0.1" on your active gateway cluster node, right? (while 10.0.0.1 is the ip address of the client which IA session is missing in PEP)

EricRobert
Participant

We finally fix the problem.

The PEP and PDP deamon were slowed down by a high level of events from Identity Collector and it seems that it corrupted the PDP and PEP kernel tables. We fixed the issue by clearing those tables.

Ref: https://support.checkpoint.com/results/sk/sk182270

It's not exactly our issue but the command to clear the tables is from this SK.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events