You're seeing an error message in the Cato Management Application for the Domain Controller (DC). We're here to help! This article discusses some troubleshooting steps and solutions for common errors when performing the connection test in the Directory Services > Domain Controllers for Real Time Sync section.
Error - Cannot connect to Domain Controller (code 6)
If you see a code 6 connection error in the Cato Management Application as follows:
There are some steps you can take to troubleshoot the problem.
Reconnecting the Cato Socket
Sometimes this problem is solved when you use the Socket WebUI to disconnect and reconnect the Socket to the Cato Cloud.
WARNING! A Socket reconnect action disconnects all current sessions for the site. The Socket connects back to the Cato Cloud within a few seconds, and then connectivity is restored immediately. However, some connection-sensitive traffic (like phone calls) are dropped.
To perform a reconnect action on the Socket:
- Connect to the Socket WebUI, in your web browser, enter https://<Cato Socket IP address>
For example: https://10.0.0.26
- Enter the username and password.
- Select the Cato Connection Settings tab.
- Click Reconnect.
- Log out of the Socket WebUI.
Troubleshooting Connectivity to the DC
After you perform the Socket reconnect action, the DC error still persists, here are some additional suggestions to troubleshoot connectivity to the DC:
- Verify the DC connection to the Cato Cloud.
- Verify that there is two-way communication between the DC and the Cato Cloud.
To verify that the DC is connected to the Cato Cloud:
- Make sure that your DC is powered on.
- In the Cato Management Application, go to My Networks > Topology and make sure that the site with the DC is connected to the Cato Cloud.
- Verify that you ping the DC from a host at a different site, or while you are connected to the Cato VPN.
- If you can't ping the DC, here are some ways to troubleshoot the problem:
- In the Cato Management Application, check Analytics > Events in for a block event. Do you need to change the WAN Firewall policy to allow ICMP traffic to the DC?
- Check the routing table on the DC and make sure that the traffic is being routed to the Cato Socket or IPsec tunnel.
- Check the Windows Firewall policy on the DC to make sure that ICMP traffic is not blocked.
To verify the communication between the DC and the Cato Cloud:
- Run a packet capture either on the Socket's LAN interface.
- If the DC is behind an IPsec site, run the capture on the DC itself.
- If there is two-way communication, you can see a connection on TCP/135 to your DC initiated from the Cato VPN range (10.41.0.0/16 by default).
Note: Cato can use any IP address from the VPN range to initiate the connection.
Note: Starting in Windows Server 2008, you must also allow TCP 49152-65535 for the WMI process through any firewall. It is also possible to add a Windows firewall rule for the WMI service specifically. See : https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
- If you can't find a connection that shows two-way communication, here are some to troubleshoot the problem:
- If you don't see any traffic coming from the VPN range to the DC, contact Cato support.
- If you only see SYN packets on TCP/135 from the Cato VPN range to your DC, check the connectivity of the DC:
- Inspect the routing table on the DC and make sure that the traffic is routed to the Cato Socket or IPsec tunnel.
- Check the Windows Firewall policy on the DC and make sure that the traffic is not blocked.
Error: Cannot connect to Domain Controller 0xc0000022 NT_STATUS_ACCESS DENIED
If you see an Access Denied error message in the Cato Management Application as follows:
There are some steps you can take to troubleshoot the authentication problem:
- Check the username and password in the Cato Management Application.
- Make sure that the username is correct
- Try to re-enter the password - maybe there was a typo
- Verify that Cato is sending the correct username in the connection attempt. Run a packet capture on the LAN interface of the Socket or the DC itself.
- Filter the capture for the IP address of the DC and destination port 135.
- Using Wireshark, you should see a packet with Fault at the beginning of the info field and nca_s_fault_access_denied at the end. The packet prior to this contains the username and domain sent by Cato to the DC as shown in the screenshot below.
- Walk through all the configuration steps in the Online Help Guide once again to verify that every step was performed correctly. If permissions are not set correctly on the service account used for the connection, you will get an access denied error.
Hint: To verify that the error is caused by a permission issue on the DC, you can temporarily set a Domain admin as the service user. Domain admins have all the necessary permissions by default.
Error: Cannot connect to Domain Controller 0xc0000001 NT_STATUS_UNSUCCESSFUL
If you see the unsuccessful status error message in the Cato Management Application as follows:
“Cannot connect to Domain Controller 0xc0000001 NT_STATUS_UNSUCCESSFUL . Verify that you have correctly integrated the Domain Controller with Cato Network. If issue persists, contact Cato Support for assistance. Click here for details.”
This is a general error that can be the result of misconfigurations of the Domain Controller. We recommend to follow the configuration guide.