I have found little information on how this works other than the Primary Device makes the UserID Agent connections and sends them to the secondary.
User to IP Mappings
What I have found which is of note is that when the primary sends the userid mappings to the secondary the timeouts are offset by the clock difference. So I have already resolve one issue where the secondary user ID mappings all timeout becuase the primary and secondary system clocks are 10 minutes out of sync (because the NTP server access was being blocked). You can force a refresh of the userIDs on the secondary by running the command "debug user-id refresh user-id agent all” on the primary device. It seems this will force a push of the mappings to the secondary device.
User and Group Enumeration
So the problem I now have is how do the group mappings work between the Primary and Secondary, it appears to be similar to the User to IP mapping where none of the refresh commands work on the Secondary and all the stats on the secondary show zero. However I have a specific problem where the customer is adding a user group to AD and its showing on the Primary but not showing on the secondary. The configs are identical for group mappings and the system clocks are now synced. If we run a “debug user-id reset group-mappings all” on the Primary the new group shows on primary but not on the Secondary.
So I guess my question or discussion is How does the group mapping process work with an Active Active Pair of Palos. Any input welcome
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!