XOps Network Playbook - LDAP Active Directory Sync Failed

Active Directory is essential for provisioning users to the CMA, ensuring seamless onboarding and access to resources. If synchronization with AD fails, new users may be unable to connect or access necessary services, and security policies may not be properly enforced. Recognizing the importance of this process, an XOPs Story will be generated whenever a sync failure occurs between Active Directory and the CMA, enabling prompt resolution and minimizing potential disruptions.

When responding to Network XOps stories, it is essential to approach the problem in a systematic manner. First, verify that the issue is ongoing, then troubleshoot it, and finally confirm that the problem is resolved.

Step 1 - Verifying the Scheduled Sync Failed

The following are the different ways that a Cato Management Application admin can verify that a Scheduled Sync has failed. 

• An XOps story will be generated when the Scheduled Sync fails.
• Go to the Stories Workbench page and use the Network Operations preset, including the filter 'Indication Contains LDAP'. Adjust the time frame as necessary.
  
• Verify if a story is generated as shown below.
  
• Click on the story to drill down into the details. It provides information on the story status, an incident timeline, and, more importantly, the status of the scheduled sync. 
  
• As you scroll further down in the story drill-down, you'll find the Incident Timeline. This timeline highlights any changes in the status of the scheduled syncs. On the right pane, you’ll see the playbook workflow that outlines the steps for troubleshooting the issue.
  
  

Using the Event

This section outlines the tools available in Cato for a structured troubleshooting approach to incidents of this type. While the steps are generally meant to be followed in order, the results of each check may influence the next step in the process.

• To determine whether the issue was a one-time occurrence, perform a manual sync with the AD/DC.
  Navigate to Access > Directory Services > LDAP, and click Sync Now.
  
• If the manual sync completes successfully, it may indicate that the Scheduled Sync Failure was an isolated incident. The administrator should verify whether any network interruptions or server maintenance activities coincided with the scheduled sync time.
• If the manual sync also fails, it indicates that the issue persists and the sync with the AD/DC is not completing successfully. In this case, review any recent configuration changes that may have led to the problem.
   

• Review the changes on the Audit Trail page to determine if a configuration change is the cause of this issue. This step is especially important if the scheduled sync had been functioning normally but stopped working unexpectedly.
• To view any changes made to the domain configuration, filter the Audit Dashboard by setting Model Type to Domain. Adjust the timeframe as needed to match when the issue occurred.
  
• For example, the screenshot below shows that the admin made configuration changes to the domain. If the timing of this activity aligns with the Scheduled Sync Failure, the admin can revert the changes to determine if the changes are the cause. 
  
• Another factor that could affect connectivity to the domain is the Static Host Reservation configured at the site where the domain is located.
• To check whether any changes were made to the Static Host Reservation, open the Audit Dashboard and filter the results by setting Model Type to Site and Model Name to the site where the domain resides. In the example below, the domain is located at the HQ Office. 
  

Perform Connectivity Test to Domain Controller

• To verify connectivity to the domain controller, perform a ping test from the LAN interface of the Socket where the domain controller is located.

• From the CMA, open the Socket web UI, then navigate to Tools, selecting the Ping tab. Under Route via, choose LAN, enter the IP address of the domain controller, and click Run to execute the test.
  

• If the ping test succeeds, the issue may be related to a configuration mismatch between the DC and CMA, rather than a connectivity issue.

• If the ping test fails, verify that the domain controller (DC) is powered on and reachable. If the DC is running, check whether any intermediate devices (such as firewalls or routers) are blocking the connection.

   

After identifying and resolving the issue that caused the scheduled sync to fail, verify that the sync is now showing as resolved in the Story. 

NOTE: Once the issue is resolved, the status of the story will change from "Open" to "Monitoring." It will remain in this state for the next hour, provided there are no further incidents. For more information, refer to Understanding the Stories Columns. 

Raising Cases to Cato Support

If following this playbook has not resolved an issue, submit a Support ticket. To get the most helpful response to a request, an administrator should provide the results of the troubleshooting steps taken.