Support Center > Search Results > SecureKnowledge Details
Error related to asynchronous identity fetch appear in /var/log/messages
Symptoms
  • When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the /var/log/messages file shows:
    idapi_fetch_identity_async: fwnac_fetch_conn_identity_async failed
    ida_cmi_fetch_identities_async: idapi_fetch_identity_async failed
    ida_cmi_handle_post_syn_context: failed to fetch identity
Cause

With one of the following scenarios, Identity Awareness should report identity only based on the source or destination IP address and not based on the XFF header IP:

  1. X-Forwarded-For (XFF) setting is enabled on one of the policy layer , and disabled on the Gateway object configuration.

  2. X-Forwarded-For (XFF) setting is enabled on at least one of the policy layer and on the Gateway. The traffic that should be enforced is UDP.

  3. X-Forwarded-For (XFF) setting is enabled on at least one of the policy layer and on the Gateway. The traffic that should be enforced is from external interface (by default the Gateway will trust XFF header only from internal interfaces)

In these scenarios, PEP Gateway will try to send an unnecessary asynchronous identity fetch request to remote Gateway (PDP), and fails. This will result with error messages on dmesg.

There is no functional impact. 


Solution
Note: To view this solution you need to Sign In .