Troubleshooting the Common Issues with IPS

Category	Description	Resolution/KB docs
Installation	Integrating Cisco IP phone 7941 or 7911G for 802.1x authentication with the IPS solution	For more information, see KB 13668.
Ivanti Secure Access Client prompts for certificate validation even though the Trusted Root certificate is installed	For problem resolution, see KB 23479.
Communication Ports that are open by default on IPS device	For more information, see KB 24280.
Layer 2 (802.1X, MAC Auth, SNMP, RADIUS)	802.1X- "TLS handshake failed" posted to the IPS user access log	For problem resolution, see KB 13716.
MAC Auth- Does IPS count MAC authentication against the concurrent user license?	For more information, see KB 24574.
SNMP monitoring of IPS devices	For more information, see KB 26207.
RADIUS dropped new Radius authentication request	For resolution, see KB 30167.
Layer 3 (SRX, SOS, PAN, Fortinet)	Delay in removal of user session from Palo Alto Firewall after termination of session on IPS	For resolution, see KB 40165.
Host Checker	How to enforce domain membership with Host Checker Policy	For resolution, see KB 17389.
IF-MAP	Information on IF-Map Server and IF-Map Client	For more information, see KB 22006.
Cannot find an option to enable IF-MAP server in admin GUI	For more information, see KB 23043.
Cluster	Cluster VIP flapping between both of the nodes in Active/Passive cluster	For resolution, see KB 21584.
Cluster Licensing Best Practices	For more information, see KB 40093.
	Do the active nodes monitor the state of their own interface? Each node monitors both of it's interfaces by sending an ARP to the default gateway. This ARP message is sent every 5 seconds. The IPS waits up to 5 seconds for a response. If there is no response the IPS begins a wait period of 45 seconds. If there is still no response, the IPS marks the interface as down. The ARP timeout value is configurable from the network settings page for each interface. Additionally, you can configure how many ARP ping timeouts are received before marking the interface as down. This applies to both interfaces and all nodes in the cluster. On the cluster properties page, there is an option to have each IPS disable their external interface in the event their internal interface goes down. This is a cluster-wide setting.
	How big is the Synchronization Packet? This depends on how much data is synchronized. It is observed that approximately 1MB of data is transferred for 1000 users when a node is added to the cluster and synchronized. After the nodes are synchronized, data is sent only upon a status change. For example, user session status, user properties (bookmarks), or a change to the system configuration.
	How does the IPS inform the local nodes if the passive becomes the Master? When one IPS fails, the other IPS detects the outage and assumes the VIP. It then issues a gratuitous ARP so that all local nodes (switches and routers included) will know the new MAC address for the VIP.
	Explanation on LEADER cluster status and Sync Rank	For more information, see KB 13295.
	I have received my replacement IPS; how do I join it to my existing cluster?	For more information, see KB 13727.
	Procedure to collect logs	For more information, see KB 21714.
AAA (AD, LADAP, RADIUS)	Does the IPS server support, multiple instances of Active Directory/Windows NT, for the same domain?	For resolution, see KB 21702.
What permissions are needed on the service account used within ICS/IPS Active Directory standard mode authentication server and how to set it up using Delegate Control Wizard	For resolution, see KB 40401.
Mapping based on Primary Group by using LDAP Authorization Server.	For more information, see KB 2527.

Installation

Integrating Cisco IP phone 7941 or 7911G for 802.1x authentication with the IPS solution

For more information, see KB 13668.

Ivanti Secure Access Client prompts for certificate validation even though the Trusted Root certificate is installed

For problem resolution, see KB 23479.

Communication Ports that are open by default on IPS device

For more information, see KB 24280.

Layer 2 (802.1X, MAC Auth, SNMP, RADIUS)

802.1X- "TLS handshake failed" posted to the IPS user access log

For problem resolution, see KB 13716.

MAC Auth- Does IPS count MAC authentication against the concurrent user license?

For more information, see KB 24574.

SNMP monitoring of IPS devices

For more information, see KB 26207.

RADIUS dropped new Radius authentication request

For resolution, see KB 30167.

Layer 3 (SRX, SOS, PAN, Fortinet)

Delay in removal of user session from Palo Alto Firewall after termination of session on IPS

For resolution, see KB 40165.

Host Checker

How to enforce domain membership with Host Checker Policy

For resolution, see KB 17389.

IF-MAP

Information on IF-Map Server and IF-Map Client

For more information, see KB 22006.

Cannot find an option to enable IF-MAP server in admin GUI

For more information, see KB 23043.

Cluster

Cluster VIP flapping between both of the nodes in Active/Passive cluster

For resolution, see KB 21584.

Cluster Licensing Best Practices

For more information, see KB 40093.

Do the active nodes monitor the state of their own interface?

Each node monitors both of it's interfaces by sending an ARP to the default gateway. This ARP message is sent every 5 seconds. The IPS waits up to 5 seconds for a response. If there is no response the IPS begins a wait period of 45 seconds. If there is still no response, the IPS marks the interface as down.

The ARP timeout value is configurable from the network settings page for each interface. Additionally, you can configure how many ARP ping timeouts are received before marking the interface as down. This applies to both interfaces and all nodes in the cluster. On the cluster properties page, there is an option to have each IPS disable their external interface in the event their internal interface goes down. This is a cluster-wide setting.

How big is the Synchronization Packet?

This depends on how much data is synchronized. It is observed that approximately 1MB of data is transferred for 1000 users when a node is added to the cluster and synchronized. After the nodes are synchronized, data is sent only upon a status change. For example, user session status, user properties (bookmarks), or a change to the system configuration.

How does the IPS inform the local nodes if the passive becomes the Master?

When one IPS fails, the other IPS detects the outage and assumes the VIP. It then issues a gratuitous ARP so that all local nodes (switches and routers included) will know the new MAC address for the VIP.

Explanation on LEADER cluster status and Sync Rank

For more information, see KB 13295.

I have received my replacement IPS; how do I join it to my existing cluster?

For more information, see KB 13727.

Procedure to collect logs

For more information, see KB 21714.

AAA (AD, LADAP, RADIUS)

Does the IPS server support, multiple instances of Active Directory/Windows NT, for the same domain?

For resolution, see KB 21702.

What permissions are needed on the service account used within ICS/IPS Active Directory standard mode authentication server and how to set it up using Delegate Control Wizard

For resolution, see KB 40401.

Mapping based on Primary Group by using LDAP Authorization Server.

For more information, see KB 2527.