08-23-2011 12:47 AM - edited 03-11-2019 02:15 PM
Hi,
I'm trying to deploy new ASA functionality Identity Firewall in our demo lab but I've faced a problem in losing IP-User mapping.
After the user has logged on everything is ok, ASA builds User-IP mapping, establishes connection and the has ability to filter traffic based on User name but after few minutes ASA loses User-IP mapping and can't filter connection based on user name. After re-logging situation is repeating.
Here is debug ( debug user-identity all ):
idfw_adagent[2]: IP-User mapping 10.255.112.4<->INE\aval_user_2 added
idfw_adagent[2]: IDFW HA: replicate cisco\user_2<->10.255.112.4/0/1/3 to peer
idfw_adagent[2]: [ADAGENT] update 10.255.112.4 <-> INE\aval_user_2 iptype 0 origin 0.0.0.0
idfw_adagent[2]: [ADAGENT] reply CoA-ACK to 172.18.0.78/1715
<.......>
idfw_adagent: NP IDFW: remove ip 10.255.112.4 from user aval_user_2 domain=1 uid=7 import=0 useripcnt=0 hashcnt=1
idfw_adagent: NP IDFW: netbios timer cancelled for user cisco\cisco_user_2
idfw_adagent[2]: IP-User mapping 10.255.112.4<->cisco\cisco_user_2 removed
idfw_adagent[2]: IDFW HA: replicate cisco\cisco_user_2<->10.255.112.4/0/0/7 to peer
idfw_adagent[2]: [ADAGENT] reply CoA-ACK to 172.18.0.78/1715
idfw_service[2]: executing AD-Agent monitor service callback
idfw_service[2]: [ADAGENT] keepalive 172.18.0.78(1) query submitted
idfw_service[2]: SERVICE AD-Agent monitor spent 0 msecs
idfw_service[2]: AD-Agent monitor update schedule 20000 msec
I tried to manipulate with "NetBIOS logout probe" and other timers but without success.
My configuration below:
user-identity domain INE aaa-server AD.78
user-identity default-domain INE
user-identity action domain-controller-down INE disable-user-identity-rule
user-identity action netbios-response-fail remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system probe-time minutes 15 retry-interval seconds 3 retry-count 256 match-any
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent active-user-database on-demand
user-identity ad-agent hello-timer seconds 20 retry-times 3
user-identity ad-agent aaa-server adagent
user-identity user-not-found enable
!
aaa-server AD.78 protocol ldap
aaa-server AD.78 (inside) host 172.18.0.78
ldap-base-dn DC=ine,DC=com
ldap-scope subtree
ldap-login-password *****
ldap-login-dn aval_admin
ldap-over-ssl enable
server-type microsoft
aaa-server adagent protocol radius
ad-agent-mode
aaa-server adagent (inside) host 172.18.0.78
key *****
!
I'll be very appreciated for any help.
Thanks in advance.
08-25-2011 08:06 AM
Hello,
Does the client PC respond to the NetBIOS probe? If so, what usernames does the PC return in response to the probe?
-Mike
09-21-2011 02:53 AM
How can i setup the NETBIOS probe int the Windows XP?
thanks~
04-05-2012 09:29 AM
Hello,
I am having the exact same problem that rudenko.alexander discribed above, here's the result of my debug:
idfw_adagent: NP IDFW: add 10.20.161.207/0/0 to MY-DOMAIN\TEST-USER/1 ipcnt=1 hashcnt=122
idfw_adagent: NP IDFW: netbios timer after 559 sec for user MY-DOMAIN\TEST-USER
idfw_adagent[0]: IP-User mapping 10.20.161.207<->MY-DOMAIN\TEST-USER added
idfw_adagent[0]: [ADAGENT] update 10.20.161.207 <-> MY-DOMAIN\TEST-USER iptype 0 origin 0.0.0.0
<...about 1 minute later...>
idfw_adagent: NP IDFW: remove ip 10.20.161.207 from user TEST-USER domain=1 uid=1 import=0 useripcnt=0 hashcnt=116
idfw_adagent: NP IDFW: netbios timer cancelled for user MY-DOMAIN\TEST-USER
idfw_adagent[0]: IP-User mapping 10.20.161.207<->MY-DOMAIN\TEST-USER removed
And my user-identity config:
user-identity domain MY-DOMAIN aaa-server LDAP
user-identity default-domain MY-DOMAIN
user-identity action ad-agent-down disable-user-identity-rule
user-identity action domain-controller-down MY-DOMAIN disable-user-identity-rule
user-identity action netbios-response-fail remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-needed
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server ADAGENT
Any ideas what I'm doing wrong?
04-05-2012 12:30 PM
Hi Robert,
Looks like we need to focus on this message:
idfw_adagent: NP IDFW: netbios timer cancelled for user MY-DOMAIN\TEST-USER
I don't have a list of what can cause cancellation of the netbios timer; I would assume under normal circumstances that would include expiration of a watchdog set somewhere. Does this always happen right at a minute, you say?
I think we can enable sending this debug as a syslog which will get us a timestamp. I'll send the config for that.
Curtis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide