: Cloud Identity Engine Troubleshooting Checklist
Focus
Focus

Cloud Identity Engine Troubleshooting Checklist

Table of Contents

Cloud Identity Engine Troubleshooting Checklist

Review the checklist to troubleshoot Cloud Identity Engine configuration and connection issues.
Use the checklist below to troubleshoot general issues such as configuration or connection issues for the Cloud Identity Engine. After each task, check if the issue still exists before attempting the next task.
  1. Confirm that your configuration meets the system requirements.
  2. Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm that the Cloud Identity Engine service is active.
  3. Use the system logs on the firewall associated with your Cloud Identity Engine tenant to check the Cloud Identity Engine status for any issues.
  4. (On-premises Active Directory only) Confirm that you have configured your network to allow Cloud Identity Engine traffic and Search Cloud Identity Agent Logs for any possible cuases of the issue.
  5. (On-premises Active Directory only) Confirm your configuration is correct.
    • On the agent host:
      • Confirm you have administrator privileges for the agent host so that you can install and configure the agent.
      • Confirm that the Protocol you specify for the agent is supported and enabled on the agent host.
      • Close the agent and restart it.
      • Clear the DNS cache by entering the following command from an administrative command prompt: ipconfig /flushdns.
      • Confirm the server where you installed the agent meets the system requirements.
    • On the agent:
      • Stop and restart the connection to the Cloud Identity Engine service.
      • Confirm that the Bind DN and Bind Password are correct.
      • Confirm that the region for the Cloud Identity Engine in your Cloud Identity Configuration matches the region for your tenant.
      • Confirm that the Domain is a fully qualified domain name and the specified Port on the Active Directory server allows communication with the Cloud Identity agent.
      • Try increasing your Bind Timeout and Search Timeout to allow more time for the agent to connect and the search to complete.
    • In the app:
      • Check the Agents & Certificates page to verify you are using the latest version of the agent.
      • Check the Directories and Agents & Certificates pages to confirm the domains the agent is monitoring are correct.
      • Check the Directories page to confirm the NetBIOS Name is not empty. If the NetBIOS Name is empty, correct the domain name in the Cloud Identity agent and commit your changes. Wait at least five minutes before using the Directories page to verify the domain name and NetBIOS name are now correct, then remove the entry for the incorrect domain in the app.
  6. (On-premises Active Directory only) Check the status of your certificates.
    • On the agent host:
      • If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate CA certificates that were used to issue your domain controller certificates are valid and available in the Local Computer Trusted Root CA.
      • Confirm that you are not using a certificate that was generated for another tenant and that the certificate is not used for another agent or service.
      • Confirm you have generated a unique certificate in the Cloud Identity Engine app for each agent and that it is available in the Local Computer certificate store of the agent host.
    • In the app:
      • Check the Agents & Certificates page to verify that the agent has an associated Certificate.
      • Check the Agents & Certificates page to verify that the certificate status is not expired or revoked.
  7. (On-premises Active Directory only) Confirm all connections are active.
    • On the agent:
      • Check the Cloud Identity Configuration to verify that the agent status is Running.
      • Check the LDAP Configuration is valid and Test Connectivity to AD to confirm the connection to your Active Directory is active.
      • View the Monitoring page to confirm the agent is Connected to the Cloud Identity Engine.
      • Check when the Last Update to Cloud Identity Engine was successful to determine the last time the agent was able to connect to the service.
      • Check when the Last LDAP Fetch was successful to determine the last time the agent was able to connect to your Active Directory.
    • In the app:
      • Check the Directories page for the Sync Status to determine if the last sync between the agent and the service was successful.
      • Check when the attributes were Last Updated by your Active Directory.
      • Check the Agents & Certificates page to confirm the agent’s Status is Online.
  8. (Cloud-based directory only) If you are experiencing issues with your cloud-based directory:
    • Reconnect your directory to your Cloud Identity Engine tenant.
    • Verify your directory credentials are correct.
    • Verify that you have granted the permissions that the Cloud Identity Engine requires.
If you are still encountering issues: