Troubleshooting the Common Issues with IPS
Table describes the common issues with Ivanti Policy Secure and provides the possible resolution.
|
Description |
Resolution/KB docs |
|
|---|---|---|
|
Installation |
Integrating Cisco IP phone 7941 or 7911G for 802.1x authentication with the Ivanti Policy Secure solution |
For more information, see KB 13668. |
|
Ivanti Secure Access Client prompts for certificate validation even though the Trusted Root certificate is installed |
For problem resolution, see KB 23479. |
|
|
Communication Ports that are open by default on Ivanti Policy Secure device |
For more information, see KB 24280. |
|
|
Layer 2 (802.1X, MAC Auth, SNMP, RADIUS) |
802.1X- "TLS handshake failed" posted to the Ivanti Policy Secure user access log |
For problem resolution, see KB 13716. |
|
MAC Auth- Does Ivanti Policy Secure count MAC authentication against the concurrent user license? |
For more information, see KB 24574. |
|
|
SNMP monitoring of Ivanti Policy Secure devices |
For more information, see KB 26207. |
|
|
RADIUS dropped new Radius authentication request |
For resolution, see KB 30167. |
|
|
Layer 3 (SRX, SOS, PAN, Fortinet) |
Juniper SRX firewalls disconnect and reconnect at random times causing loss of access to protected resources |
For resolution, see KB KB 40024. |
|
Delay in removal of user session from Palo Alto Firewall after termination of session on IPS |
For resolution, see KB 40165. |
|
|
Host Checker |
Upgrading ESAP in an L2 authentication environment |
For resolution, see KB 28732. |
|
How to enforce domain membership with Host Checker Policy |
For resolution, see KB 22006. |
|
|
Cannot find an option to enable IF-MAP server in admin GUI |
For more information, see KB 23043. |
|
|
Cluster |
Cluster VIP flapping between both of the nodes in Active/Passive cluster |
For resolution, see KB 21584. |
|
Cluster Licensing Best Practices |
For more information, see KB 40093. |
|
|
|
Do the active nodes monitor the state of their own interface? Each node monitors both of it's interfaces by sending an ARP to the default gateway. This ARP message is sent every 5 seconds. The Ivanti Policy Secure waits up to 5 seconds for a response. If there is no response the Ivanti Policy Secure begins a wait period of 45 seconds. If there is still no response, the Ivanti Policy Secure marks the interface as down. The ARP timeout value is configurable from the network settings page for each interface. Additionally, you can configure how many ARP ping timeouts are received before marking the interface as down. This applies to both interfaces and all nodes in the cluster. On the cluster properties page, there is an option to have each Ivanti Policy Secure disable their external interface in the event their internal interface goes down. This is a cluster-wide setting. |
|
|
|
How big is the Synchronization Packet? This depends on how much data is synchronized. It is observed that approximately 1MB of data is transferred for 1000 users when a node is added to the cluster and synchronized. After the nodes are synchronized, data is sent only upon a status change. For example, user session status, user properties (bookmarks), or a change to the system configuration. |
|
|
|
How does the Ivanti Policy Secure inform the local nodes if the passive becomes the Master? When one Ivanti Policy Secure fails, the other Ivanti Policy Secure detects the outage and assumes the VIP. It then issues a gratuitous ARP so that all local nodes (switches and routers included) will know the new MAC address for the VIP. |
|
|
|
Explanation on LEADER cluster status and Sync Rank | For more information, see KB 13295. |
|
|
I have received my replacement IPS; how do I join it to my existing cluster? | For more information, see KB 13727. |
|
|
Procedure for replacing a device in an Active/Passive or Active/Active cluster |
For more information, see KB 16146. |
|
|
Procedure to collect logs |
For more information, see KB 21714. |
|
AAA (AD, LADAP, RADIUS) |
Users intermittently fail auth to Active Directory; NT_STATUS_IO_TIMEOUT seen in logs |
For resolution, see KB 40179 |
|
Does the Ivanti Policy Secure server support, multiple instances of Active Directory/Windows NT, for the same domain? |
For resolution, see KB 21702. |
|
|
What permissions are needed on the service account used within ICS/IPS Active Directory standard mode authentication server and how to set it up using Delegate Control Wizard |
For resolution, see KB 40401. |
|
|
Mapping based on Primary Group by using LDAP Authorization Server. |
For more information, see KB 2527. |
|
|
Guest |
500 Internal Error, when attempting to sign into the GUAM portal The customization for GUAM is no more supported from the Ivanti Policy Secure 5.2 release. |
For resolution, see KB 40296. |