- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-23-2021 04:17 AM
Hello.
so I'm setting up data redistribution (mainly for user-id) between 2 clusters.
1 cluster has a globalprotect license and a working internal gateway (this solution will in time completely replace the agentless user-id)
I configured data redistribution.
GP-firewall is configured with a collector name( multi vsys setup) and even sees 1 client connected (idle)
2nd firewall is configured with agent config using host and port (didn't work on serial) and status is connected.
when I try to use the serial method I can select: none, panorama or panorama2. I don't see any serial numbers nor do I see anything indicating it's possibly my other firewall.
yes there is a panorama, but It's a standalone vm and I would therefore like to avoid using it as that would create a single point of failure for user-id polices (panorama down and the 2nd firewall doesn't get any user-ip mappings anymore from gp)
when I log into cli of the 2nd firewall and do a show user ip-user mapping all I see a load of user to ip mappings all of type REDIST( indicating redistribution seems to be working.
only exception the 5-10 users currently testing the Globalprotect method aren't seen.
no entries for their usernames or ip's.
so despite all documentation and some posts here stating data redistribution does not care about teh source it seems it's not redistributing any user-mappings of type GP.
04-23-2021 09:18 AM
You are using version 10 as you are mentioning data redistribution and not user redistribution?
Shouldn't the second firewall to also be the client if you want to see the globalprotect users from the first firewall? Maybe you think that the redistribution is in two directions but it is not so you need to configure firewall 1 to be client and agent and also firewall 2 to be client and agent. This is why better have a central redistribution point like panorama and if it is VM you can still make snapshots.
On the first firewall you see the globalprotect users that have connected to it when you do view ip-user mappings?
If your config is correct then maybe still test with the Panorama and mind that version is still not stable and it could be a bug also maybe the VSYS is causing issues, when you configure an agent there is no selection of a vsys so it should redistribute the info from all vsys but who knows a I mentioned 10.0. is not stable.
04-23-2021 09:18 AM
You are using version 10 as you are mentioning data redistribution and not user redistribution?
Shouldn't the second firewall to also be the client if you want to see the globalprotect users from the first firewall? Maybe you think that the redistribution is in two directions but it is not so you need to configure firewall 1 to be client and agent and also firewall 2 to be client and agent. This is why better have a central redistribution point like panorama and if it is VM you can still make snapshots.
On the first firewall you see the globalprotect users that have connected to it when you do view ip-user mappings?
If your config is correct then maybe still test with the Panorama and mind that version is still not stable and it could be a bug also maybe the VSYS is causing issues, when you configure an agent there is no selection of a vsys so it should redistribute the info from all vsys but who knows a I mentioned 10.0. is not stable.
04-26-2021 11:10 PM
Hello.
so yes I'm using data redistribution.
the setup is 1 firewall cluster collects all user data and redistributes to the 2nd.
so the 2nd is only a client, the 1st is only an agent.
user mappings on the first firewall are all okay( both agentless and globalprotect)
however I decided to use an old cisco asa trick when config (that should work) is not working on it: delete the entire config and set it up again.
and after this I finally got the globalprotect users to also show up.
I did nothing different(used same names, interfaces, zones, settings...
so I'm guessing possibly a bug in 10.0.3 or something.
I see that version 10.0.5 has become preferred just recently. so will upgrade both firewalls to this version
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!