Cloud Identity Engine Troubleshooting Checklist

Confirm that your configuration meets the system requirements.
Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm that the Cloud Identity Engine service is active.
Use the system logs on the firewall associated with your Cloud Identity Engine tenant to check the Cloud Identity Engine status for any issues.
(
On-premises Active Directory only
) Confirm that you have configured your network to allow Cloud Identity Engine traffic.
(
On-premises Active Directory only
) Confirm your configuration is correct.
On the agent host:
Confirm you have administrator privileges for the agent host so that you can install and configure the agent.
Confirm that the
Protocol
you specify for the agent is supported and enabled on the agent host.
Close the agent and restart it.
Clear the DNS cache by entering the following command from an administrative command prompt:
ipconfig /flushdns
.
Confirm the server where you installed the agent meets the system requirements.
On the agent:
Stop and restart the connection to the Cloud Identity Engine service.
Confirm that the
Bind DN
and
Bind Password
are correct.
Confirm that the region for the
Cloud Identity Engine
in your
Cloud Identity Configuration
matches the region for your tenant.
Confirm that the
Domain
is a fully qualified domain name and the specified
Port
on the Active Directory server allows communication with the Cloud Identity agent.
Try increasing your
Bind Timeout
and
Search Timeout
to allow more time for the agent to connect and the search to complete.
In the app:
Check the
Agents & Certificates
page to verify you are using the latest version of the agent.
Check the
Directories
and
Agents & Certificates
pages to confirm the domains the agent is monitoring are correct.
Check the
Directories
page to confirm the
NetBIOS Name
is not empty. If the NetBIOS Name is empty, correct the domain name in the Cloud Identity agent and commit your changes. Wait at least five minutes before using the
Directories
page to verify the domain name and NetBIOS name are now correct, then remove the entry for the incorrect domain in the app.
(
On-premises Active Directory only
) Check the status of your certificates.
On the agent host:
If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate CA certificates that were used to issue your domain controller certificates are valid and available in the Local Computer Trusted Root CA.
Confirm that you are not using a certificate that was generated for another tenant and that the certificate is not used for another agent or service.
Confirm you have generated a unique certificate in the Cloud Identity Engine app for each agent and that it is available in the Local Computer certificate store of the agent host.
In the app:
Check the
Agents & Certificates
page to verify that the agent has an associated
Certificate
.
Check the
Agents & Certificates
page to verify that the certificate status is not expired or revoked.
(
On-premises Active Directory only
) Confirm all connections are active.
On the agent:
Check the
Cloud Identity Configuration
to verify that the agent status is
Running
.
Check the
LDAP Configuration
is valid and
Test Connectivity to AD
to confirm the connection to your Active Directory is active.
View the
Monitoring
page to confirm the agent is
Connected
to the
Cloud Identity Engine
.
Check when the
Last Update to Cloud Identity Engine
was successful to determine the last time the agent was able to connect to the service.
Check when the
Last LDAP Fetch
was successful to determine the last time the agent was able to connect to your Active Directory.
In the app:
Check the
Directories
page for the
Sync Status
to determine if the last sync between the agent and the service was successful.
Check when the attributes were
Last Updated
by your Active Directory.
Check the
Agents & Certificates
page to confirm the agent’s
Status
is
Online
.
(
Cloud-based directory only
) If you are experiencing issues with your cloud-based directory:
Reconnect your directory to your Cloud Identity Engine tenant.
Verify your directory credentials are correct.
Verify that you have granted the permissions that the Cloud Identity Engine requires.