Cloud Identity Engine Troubleshooting Checklist
Review the checklist to troubleshoot Cloud Identity Engine
configuration and connection issues.
Use the checklist below to troubleshoot general
issues such as configuration or connection issues for the Cloud
Identity Engine. After each task, check if the issue still exists
before attempting the next task.
- Confirm that your configuration meets the system requirements.
- Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm that the Cloud Identity Engine service is active.
- Use the system logs on the firewall associated with your Cloud Identity Engine tenant to check the Cloud Identity Engine status for any issues.
- (On-premises Active Directory only) Confirm that you have configured your network to allow Cloud Identity Engine traffic.
- (On-premises Active Directory only) Confirm your configuration is correct.
- On the agent host:
- Confirm you have administrator privileges for the agent host so that you can install and configure the agent.
- Confirm that theProtocolyou specify for the agent is supported and enabled on the agent host.
- Close the agent and restart it.
- Clear the DNS cache by entering the following command from an administrative command prompt:ipconfig /flushdns.
- Confirm the server where you installed the agent meets the system requirements.
- On the agent:
- Stop and restart the connection to the Cloud Identity Engine service.
- Confirm that theBind DNandBind Passwordare correct.
- Confirm that the region for theCloud Identity Enginein yourCloud Identity Configurationmatches the region for your tenant.
- Confirm that theDomainis a fully qualified domain name and the specifiedPorton the Active Directory server allows communication with the Cloud Identity agent.
- Try increasing yourBind TimeoutandSearch Timeoutto allow more time for the agent to connect and the search to complete.
- In the app:
- Check theAgents & Certificatespage to verify you are using the latest version of the agent.
- Check theDirectoriesandAgents & Certificatespages to confirm the domains the agent is monitoring are correct.
- Check theDirectoriespage to confirm theNetBIOS Nameis not empty. If the NetBIOS Name is empty, correct the domain name in the Cloud Identity agent and commit your changes. Wait at least five minutes before using theDirectoriespage to verify the domain name and NetBIOS name are now correct, then remove the entry for the incorrect domain in the app.
- (On-premises Active Directory only) Check the status of your certificates.
- On the agent host:
- If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate CA certificates that were used to issue your domain controller certificates are valid and available in the Local Computer Trusted Root CA.
- Confirm that you are not using a certificate that was generated for another tenant and that the certificate is not used for another agent or service.
- Confirm you have generated a unique certificate in the Cloud Identity Engine app for each agent and that it is available in the Local Computer certificate store of the agent host.
- In the app:
- Check theAgents & Certificatespage to verify that the agent has an associatedCertificate.
- Check theAgents & Certificatespage to verify that the certificate status is not expired or revoked.
- (On-premises Active Directory only) Confirm all connections are active.
- On the agent:
- Check theCloud Identity Configurationto verify that the agent status isRunning.
- Check theLDAP Configurationis valid andTest Connectivity to ADto confirm the connection to your Active Directory is active.
- View theMonitoringpage to confirm the agent isConnectedto theCloud Identity Engine.
- Check when theLast Update to Cloud Identity Enginewas successful to determine the last time the agent was able to connect to the service.
- Check when theLast LDAP Fetchwas successful to determine the last time the agent was able to connect to your Active Directory.
- In the app:
- Check theDirectoriespage for theSync Statusto determine if the last sync between the agent and the service was successful.
- Check when the attributes wereLast Updatedby your Active Directory.
- Check theAgents & Certificatespage to confirm the agent’sStatusisOnline.
- (Cloud-based directory only) If you are experiencing issues with your cloud-based directory:
- Reconnect your directory to your Cloud Identity Engine tenant.
- Verify your directory credentials are correct.
- Verify that you have granted the permissions that the Cloud Identity Engine requires.
If you are still encountering issues:
- (On-premises Active Directory only) Use the Cloud Identity agent logs to review the errors logged by the agent.
- Learn more about how to troubleshoot specific errors.
- Find out how to Get Help.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.