Cloud Identity Engine Troubleshooting Checklist

Review the checklist to troubleshoot Cloud Identity Engine configuration and connection issues.
Use the checklist below to troubleshoot general issues such as configuration or connection issues for the Cloud Identity Engine. After each task, check if the issue still exists before attempting the next task.
  1. Confirm that your configuration meets the system requirements.
  2. Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm that the Cloud Identity Engine service is active.
  3. (
    On-premises Active Directory only
    ) Confirm that you have configured your network to allow Cloud Identity Engine traffic.
  4. (
    On-premises Active Directory only
    ) Confirm your configuration is correct.
    • On the agent host:
      • Confirm you have administrator privileges for the agent host so that you can install and configure the agent.
      • Confirm that the
        Protocol
        you specify for the agent is supported and enabled on the agent host.
      • Close the agent and restart it.
      • Clear the DNS cache by entering the following command from an administrative command prompt:
        ipconfig /flushdns
        .
      • Confirm the server where you installed the agent meets the system requirements.
    • On the agent:
      • Stop and restart the connection to the Cloud Identity Engine service.
      • Confirm that the
        Bind DN
        and
        Bind Password
        are correct.
      • Confirm that the region for the
        Cloud Identity Engine
        in your
        Cloud Identity Configuration
        matches the region for your instance.
      • Confirm that the
        Domain
        is a fully qualified domain name and the specified
        Port
        on the Active Directory server allows communication with the Cloud Identity agent.
      • Try increasing your
        Bind Timeout
        and
        Search Timeout
        to allow more time for the agent to connect and the search to complete.
    • In the app:
      • Check the
        Agents & Certificates
        page to verify you are using the latest version of the agent.
      • Check the
        Directories
        and
        Agents & Certificates
        pages to confirm the domains the agent is monitoring are correct.
      • Check the
        Directories
        page to confirm the
        NetBIOS Name
        is not empty. If the NetBIOS Name is empty, correct the domain name in the Cloud Identity agent and commit your changes. Wait at least five minutes before using the
        Directories
        page to verify the domain name and NetBIOS name are now correct, then remove the entry for the incorrect domain in the app.
  5. (
    On-premises Active Directory only
    ) Check the status of your certificates.
    • On the agent host:
      • If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate CA certificates that were used to issue your domain controller certificates are valid and available in the Local Computer Trusted Root CA.
      • Confirm that you are not using a certificate that was generated for another instance and that the certificate is not used for another agent or service.
      • Confirm you have generated a unique certificate in the Cloud Identity Engine app for each agent and that it is available in the Local Computer certificate store of the agent host.
    • In the app:
      • Check the
        Agents & Certificates
        page to verify that the agent has an associated
        Certificate
        .
      • Check the
        Agents & Certificates
        page to verify that the certificate status is not expired or revoked.
  6. (
    On-premises Active Directory only
    ) Confirm all connections are active.
    • On the agent:
      • Check the
        Cloud Identity Configuration
        to verify that the agent status is
        Running
        .
      • Check the
        LDAP Configuration
        is valid and
        Test Connectivity to AD
        to confirm the connection to your Active Directory is active.
      • View the
        Monitoring
        page to confirm the agent is
        Connected
        to the
        Cloud Identity Engine
        .
      • Check when the
        Last Update to Cloud Identity Engine
        was successful to determine the last time the agent was able to connect to the service.
      • Check when the
        Last LDAP Fetch
        was successful to determine the last time the agent was able to connect to your Active Directory.
    • In the app:
      • Check the
        Directories
        page for the
        Sync Status
        to determine if the last sync between the agent and the service was successful.
      • Check when the attributes were
        Last Updated
        by your Active Directory.
      • Check the
        Agents & Certificates
        page to confirm the agent’s
        Status
        is
        Online
        .
  7. (
    Cloud-based directory only
    ) If you are experiencing issues with your cloud-based directory:
    • Reconnect your directory to your Cloud Identity Engine instance.
    • Verify your directory credentials are correct.
    • Verify that you have granted the permissions that the Cloud Identity Engine requires.
If you are still encountering issues:

Recommended For You