I have group mappings present on the Primary Firewall, not passing to the secondary Firewall. Specifically for a new gorup created today. I have tried the various debug refresh commands on both boxes to attempt the get the seocndary box to pull the new group, but no joy. Can anyone suggest what the issue here maybe? As far as the secondary box is concerned it doesn't exist. Which is kind of important as that box is primary for connectivity for a certain subnet that I cannot enforce a policy on based on group membership.
did you happen to check the filter in the device tab > user identification > group mapping settings
there could be a filter here that prevents the new group from showing up
No filter that is relevant to the group in question, it has got worse, we have a new user thats been added in AD, it can be seen on the Primary but not on the Secondary, even after a day. Also the group number enumeration between the two is not the same. Any ideas why the secondary is not synching up with the user-id and group information from the primary?
Does the secondary show correctly connected ip address:
> show user user-id-agent state <your-id-agent-name>
Does a force sync change the status:
> debug user-id refresh group-mapping (Name of group-mapping, or all)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!