Support Center > Search Results > SecureKnowledge Details
In a Cluster environment, Identity propagation does not occur between an Identity Server (PDP) and Identity Gateway (PEP)
Symptoms
  • If a cluster was configured as Identity Gateway (PEP), then:

    • On the Identity Server (PDP), the "pdp connections pep" command displays the incoming connections from the physical IP addresses of the cluster members (configured as PEP), rather than the Cluster Virtual IP address.

    • The cluster (configured as PEP) is not updated about identities by the Identity Server (PDP).

  • If a cluster was configured as Identity Server (PDP), then:

    • On the Identity Gateway (PEP), the "pep show pdp all" command displays the incoming connections from the physical IP addresses of the cluster members (configured as PDP), rather than the Cluster Virtual IP address.

    • The cluster (configured as PDP) does not update the Identity Gateway (PEP) about identities.

Cause

In a Cluster environment, the connections from PEP to PDP (over TCP port 28581) and from PDP to PEP (over TCP port 15105) are expected to be initiated from the Cluster's Virtual IP addresses, rather than from the physical IP addresses of cluster members.


Solution

Follow the steps below:

If a cluster was configured as an Identity Gateway (PEP)

  • Cluster configured as PEP is ClusterXL:

    1. Make sure that sk31832 is not applied on the cluster members for TCP port 28581.

      If such a configuration exists, remove it.

    2. If the issue persists, add the following NAT rule above the existing NAT rules to hide the PEP connections originated by the PEP cluster members behind the PEP Cluster Virtual IP address:

      In R80 SmartConsole:

      No. Original
      Source
      Original
      Destination
      Original
      Services
      Translated
      Source
      Translated
      Destination
      Translated
      Services
      Install On
      1 PEP Member_A
      PEP Member_B
      PDP
      Gateway /
      Cluster
      TCP 28581 PEP Cluster VIP = Original = Original PEP Cluster object

      In R7X SmartDashboard:

      No. Original Packet Translated Packet Install On
      Source Destination Service Source Destination Service
      1 PEP Member_A
      PEP Member_B
      PDP
      Gateway /
      Cluster
      TCP 28581
      PEP Cluster VIP = Original = Original PEP Cluster object
  • Cluster configured as PEP is a 3rd party cluster:

    1. In SmartDashboard, open the 3rd party cluster object.

    2. Go to the "3rd Party Configuration" pane.

    3. Check the box "Hide Cluster Members' outgoing traffic behind the Cluster's IP address".

    4. Click on OK.

    5. Install the Network Security policy on this cluster object.

    Example:

 

If a cluster was configured as an Identity Server (PDP)

  • Cluster configured as PDP is ClusterXL:

    1. Make sure that sk31832 is not applied on the cluster members for TCP port 15105.

      If such a configuration exists, remove it.

    2. If the issue persists, add the following NAT rule above the existing NAT rules to hide the PDP connections originated by the PDP cluster members behind the PDP Cluster Virtual IP address:

      In R80 SmartConsole:

      No. Original
      Source
      Original
      Destination
      Original
      Services
      Translated
      Source
      Translated
      Destination
      Translated
      Services
      Install On
      1 PDP Member_A
      PDP Member_B
      PEP
      Gateway /
      Cluster
      TCP 15105 PDP Cluster VIP = Original = Original PDP Cluster object

      In R7X SmartDashboard:

      No. Original Packet Translated Packet Install On
      Source Destination Service Source Destination Service
      1 PDP Member_A
      PDP Member_B
      PEP
      Gateway /
      Cluster
      TCP 15105
      PDP Cluster VIP = Original = Original PDP Cluster object
  • Cluster configured as PDP is a 3rd party cluster:

    1. In SmartDashboard, open the 3rd party cluster object.

    2. Go to the "3rd Party Configuration" pane.

    3. Check the box "Hide Cluster Members' outgoing traffic behind the Cluster's IP address".

    4. Click on OK.

    5. Install the Network Security policy on this cluster object.

    Example:

 

Notes

  • If an existing Identity Awareness connection is established with other Security Gateways, you will need to perform 'cpstop ; cpstart' on the affected Security Gateways: 
  • - This procedure includes inevitable downtime. 

 

Related documentation

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment