Yes, all gateways and management server R80.20

One MGMT server for all gateways.

What do you mean if NAT is involved? In what way?

I don't know of any such NATs. I double checked and didn't see any.

FW2 is the default gateway for FW1

Hi @PhoneBoy , 

Any ideas?

What version of MUH are you using?
Note that I highly recommend upgrading to R80.40, which allows for several improvements in MUH (more users on a terminal server and more traffic types are supported). 

I'll check tomorrow the MUH version.

But since the user is correctly identified by FW1, could it still be connected to the MUH itself?

We will upgrade to 80.40 in the future but not right now...

Looks like some configuration issue with the gateways themselves, no?

The newer versions of MUH operate a bit differently than older versions and sync data incompatible with older gateway versions.
Not sure if that has been backported to earlier releases or not.
I strongly recommend a TAC case here. 

Ok, just verifying again: 

'Get identities from other gateways' shouldn't be checked on FW2?

Currently it's not checked, but again, identites from PCs propegate fine to FW2...

We only use agents on our terminal servers. Users using their own PCs don't have agents installed.

So maybe I'm making a salad here, but I need to understand the flow here - 

User1 on a PC, sits behind FW1, and want to reach a resource behind FW2.

First point of contact is with FW1, so Identity awareness data is collected there.

request from PC is now routed forward to FW2 since it's the DG of FW1.

Isn't identity data also transfered from FW1 to FW2 or does FW2 aquires it's own Identity data independently from the user's PC?

Also, any negative impact if I enable the 'Get identity data from other gateways' online?

You still haven't answered the question: how is Identity Awareness to 'acquire' the identity.
If it's AD Query and you've configured both firewalls to acquire them from the same set of AD servers, then both gateways will find out about the same logins done to those servers.
However, this only works for single user hosts. 

For terminal servers, MUH must be used as multiple users are coming from the same IP and MUH helps differentiate between the users.
However, MUH (or any of the agents) can only talk to one gateway.
If the gateway isn't sharing identities, no other gateway will find out about that identity.

So, yes, you have to share identities between gateways to make this work.
It does not add a lot of overhead as it is a demand-driven process. 

As a larger issue, you should configure each firewall to acquire identities from the closest AD server (not necessarily the same ones).
You may also want to move to Identity Collector, which scales better than AD Query.

Sorry for that - Yes, it's AD Query and both FW are configured with the same AD server.

Thanks for calrifying things. I'll check that box later on and give an update here if that solved the issue.

OK, update - 

I installed latest JHF (take 183) and enabled the 'Get identities from other gateways' on FW2.

('share local identities with other gateways' was always ticked on both gateways.)

However, it doesn't looks like it helped. I still don't see username in logs from FW2, only on FW1.

I have a similar problem from the other way around:

Users are establishing VPN connection (SSLVPN) with FW2, however when trying to access resources behind FW1, their user data isn't propogated.

When I tried to enable 'Get identities from other gateways' on FW1, it broke the IA mechanism, and no user data was available for TS agent AND PCs.

I'm kinda lost here with how this mechanism works...