Perhaps your group mappings are failing, so for diagnostics try the following from CLI :-
show user group list
this will display user groups known to the firewall
show user group name " cn of group listed from above (use quotes if you have spaces)"
this will list all known members of that group
debug user-id refresh group-mapping all
this will force the firewall to sync with AD
this is also assuming that your user-ip mapping is also working correctly.
this cab also be tested via CLI :-
show user ip-user-mapping all
this will display all known user to ip mappings
2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec:
You really need to look at your logs ( useridd masterd_detail ) and determine what you actually have going on, or contact TAC and they can look through your logs. Depending on how large your directory is it's possible that even 60 seconds isn't giving the firewall enough time to finish the task and fully process everything before you ask it to restart the process; 60 seconds is the minimal rate allowed, but it can still be too quick depending on your environment.
lets take a step back - if understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?
Have you tried all the commands that @Mick_Ball provide you?
It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!