Support Center > Search Results > SecureKnowledge Details
Some users randomly get a block page from Identity Awareness gateway
Symptoms
  • Some users randomly get a block page from Identity Awareness gateway - e.g., user authenticated by Identity Awareness gateway is able to connect to resources, but after several hours the authentication fails and user gets a block page.

  • Output of 'pdp monitor ip' command on PDP Gateway correctly shows the user mapping and access role.

  • The traffic logs in SmartView Tracker show only user's IP address and not the username.

  • The following steps resolve the issue, but only temporarily:

    1. Run 'pdp update all' command on PDP Gateway.
    2. Run 'pdp update specific username' command on PDP Gateway.
    3. Run 'pdp control revoke_ip ip_address' command on PDP Gateway.
    4. Reboot the user's computer.
Cause

When two PDP Gateways share the same identities to the same PEP Gateway, orphaned entries are generated on PEP Gateway in the kernel table 'pep_client_db'.

Most of the time, each PDP Gateway publishes unique identities, but sometimes the same identity is published from both PDP Gateways.
In such scenario:

  1. When the first publish arrives (from PDP GW #1), proper entries are created in the kernel table 'pep_src_mapping_db' and in the kernel table 'pep_client_db'.
  2. When the second publish arrives (from PDP GW #2), a new entry is added to the kernel table 'pep_client_db' and the old entry in the kernel table 'pep_src_mapping_db' is modified (to point to the new one). An old entry in the kernel table 'pep_client_db' is not deleted.
  3. When an identity is expired on PDP GW #2, it is revoked and, as a result, only the old entry in the kernel table 'pep_client_db' remains. The administrator sees this identity on PEP Gateway, but it is not enforced.

Solution
Note: To view this solution you need to Sign In .