Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2490
Views
0
Helpful
4
Replies

Identity firewall - loss IP-User mapping

rudenko.alexander
Level 1
Level 1

‎08-23-2011 12:47 AM - edited ‎03-11-2019 02:15 PM

Hi,

I'm trying to deploy new ASA functionality Identity Firewall in our demo lab but I've faced a problem in losing IP-User mapping.

After the user has logged on everything is ok, ASA builds User-IP mapping, establishes connection and the has ability to filter traffic based on User name but after few minutes ASA loses User-IP mapping and can't filter connection based on user name. After re-logging situation is repeating.

Here is debug ( debug user-identity all ):

idfw_adagent[2]: IP-User mapping 10.255.112.4<->INE\aval_user_2 added

idfw_adagent[2]: IDFW HA: replicate cisco\user_2<->10.255.112.4/0/1/3 to peer

idfw_adagent[2]: [ADAGENT] update 10.255.112.4 <-> INE\aval_user_2 iptype 0 origin 0.0.0.0

idfw_adagent[2]: [ADAGENT] reply CoA-ACK to 172.18.0.78/1715

<.......>

idfw_adagent: NP IDFW: remove ip 10.255.112.4 from user aval_user_2 domain=1 uid=7 import=0 useripcnt=0 hashcnt=1

idfw_adagent: NP IDFW: netbios timer cancelled for user cisco\cisco_user_2

idfw_adagent[2]: IP-User mapping 10.255.112.4<->cisco\cisco_user_2 removed

idfw_adagent[2]: IDFW HA: replicate cisco\cisco_user_2<->10.255.112.4/0/0/7 to peer

idfw_adagent[2]: [ADAGENT] reply CoA-ACK to 172.18.0.78/1715

idfw_service[2]: executing AD-Agent monitor service callback

idfw_service[2]: [ADAGENT] keepalive 172.18.0.78(1) query submitted

idfw_service[2]: SERVICE AD-Agent monitor spent 0 msecs

idfw_service[2]: AD-Agent monitor update schedule 20000 msec

I tried to manipulate with "NetBIOS logout probe" and other timers but without success.

My configuration below:

user-identity domain INE aaa-server AD.78

user-identity default-domain INE

user-identity action domain-controller-down INE disable-user-identity-rule

user-identity action netbios-response-fail remove-user-ip

user-identity inactive-user-timer minutes 120

user-identity logout-probe netbios local-system probe-time minutes 15 retry-interval seconds 3 retry-count 256 match-any

user-identity poll-import-user-group-timer hours 1

user-identity ad-agent active-user-database on-demand

user-identity ad-agent hello-timer seconds 20 retry-times 3

user-identity ad-agent aaa-server adagent

user-identity user-not-found enable

!

aaa-server AD.78 protocol ldap

aaa-server AD.78 (inside) host 172.18.0.78

ldap-base-dn DC=ine,DC=com

ldap-scope subtree

ldap-login-password *****

ldap-login-dn aval_admin

ldap-over-ssl enable

server-type microsoft

aaa-server adagent protocol radius

ad-agent-mode

aaa-server adagent (inside) host 172.18.0.78

key *****

!

I'll be very appreciated for any help.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

mirober2
Cisco Employee
Cisco Employee

‎08-25-2011 08:06 AM

Hello,

Does the client PC respond to the NetBIOS probe? If so, what usernames does the PC return in response to the probe?

-Mike

0 Helpful

poolvinsonaudi
Level 1
Level 1
In response to mirober2

‎09-21-2011 02:53 AM

How can i setup the NETBIOS probe int the Windows XP?

thanks~

0 Helpful

rhingst
Level 1
Level 1

‎04-05-2012 09:29 AM

Hello,

I am having the exact same problem that rudenko.alexander discribed above, here's the result of my debug:

idfw_adagent: NP IDFW: add 10.20.161.207/0/0 to MY-DOMAIN\TEST-USER/1 ipcnt=1 hashcnt=122
idfw_adagent: NP IDFW: netbios timer after 559 sec for user MY-DOMAIN\TEST-USER
idfw_adagent[0]: IP-User mapping 10.20.161.207<->MY-DOMAIN\TEST-USER added
idfw_adagent[0]: [ADAGENT] update 10.20.161.207 <-> MY-DOMAIN\TEST-USER iptype 0 origin 0.0.0.0

<...about 1 minute later...>

idfw_adagent: NP IDFW: remove ip 10.20.161.207 from user TEST-USER domain=1 uid=1 import=0 useripcnt=0 hashcnt=116
idfw_adagent: NP IDFW: netbios timer cancelled for user MY-DOMAIN\TEST-USER
idfw_adagent[0]: IP-User mapping 10.20.161.207<->MY-DOMAIN\TEST-USER removed

And my user-identity config:


user-identity domain MY-DOMAIN aaa-server LDAP
user-identity default-domain MY-DOMAIN
user-identity action ad-agent-down disable-user-identity-rule
user-identity action domain-controller-down MY-DOMAIN disable-user-identity-rule
user-identity action netbios-response-fail remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-needed
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server ADAGENT

Any ideas what I'm doing wrong?

0 Helpful

ccarring
Cisco Employee
Cisco Employee
In response to rhingst

‎04-05-2012 12:30 PM

Hi Robert,

Looks like we need to focus on this message:

idfw_adagent: NP IDFW: netbios timer cancelled for user MY-DOMAIN\TEST-USER

I don't have a list of what can cause cancellation of the netbios timer; I would assume under normal circumstances that would include expiration of a watchdog set somewhere. Does this always happen right at a minute, you say?

I think we can enable sending this debug as a syslog which will get us a timestamp. I'll send the config for that.

Curtis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card