Support Center > Search Results > SecureKnowledge Details
Zombie entries in Identity Awareness tables cause connectivity issues
Symptoms
  • When Identity Awareness is enabled on R80.10 Jumbo HFA from Take_123 up to Take_169:
    • There might be connectivity issues
    • Traffic might be dropped with an error drop message with 0x80:
      [ERROR]: up_rulebase_should_drop_possible_on_SYN: conn dir 0, <src_ip:src_port> -^ 
      <dst_ip:dst_port>, IPP <protocol_number> required_4_match = 0x80, not expected
      required_4_match = 0x80


  • Starting from Jumbo HFA Take_169, on certain occasions some traffic that should be matched to the rules with Access Roles is not matched due to identities missing from the PEP gateway.
Cause

Identity Awareness tables contain old entries, as a result of the issue described in sk129392, causing the PEP Security Gateway to try fetching identities from other Gateways which are not sharing identities with the PEP Security Gateway.

To verify this, run the "pep show net pdp" command and look for the network that includes the src_ip or dst_ip of the problematic  connection:

  Output example:

--------------------------------------------------------
| Network | Mask | Related PDPs |
--------------------------------------------------------
| 10.10.10.0 | 255.255.255.0 | <PDP_IP,0>; |
--------------------------------------------------------

If you see such an entry, check if one of the "related PDPs" is not configured to share identities to this PEP Security Gateway.


Solution
Note: To view this solution you need to Sign In .