Solving synchronization failures

Authorization problems can cause synchronization failures.

API synchronization between Sophos Cloud Optix and cloud environments can fail for different reasons. You can solve many of these failures.

The table shows what can cause this and how you can solve it for AWS, Microsoft Azure, and GCP cloud environments.

AWS synchronization failures

Failure reason

Solution

The Sophos-Optix-Role has been deleted from your AWS account. In legacy environments this may be called Avid-Role.

Add the environment to Sophos Cloud Optix again.

The trust relationship for the Sophos-Optix-Role has changed in your AWS account.

Add the environment again.

The external ID for the Sophos-Optix-Role has changed in your AWS account.

Add the environment again.

Explicit deny statements have been added to a role.

You can remove the explicit deny statements from the role or remove the role and add the environment again.

AWS service control policies (SCP) may deny access to some regions or services. For more information, see Testing effects of AWS service control policies

You can relax the SCP or change the allowed regions. For more details on changing the allowed regions, see Change API sync regions for AWS environments.

Microsoft Azure synchronization failures

Microsoft refers to client secrets as application secrets, but some of the error messages we receive still use the term client secret.

Failure reason

Solution

Sophos Cloud Optix has received error AADSTS7000222 from Microsoft. This means the provided client secret keys are expired.

Create a new application secret in Microsoft Azure, then use it for the Azure environment in Sophos Cloud Optix. For more details see Create new Azure secret.

The application secret for the Sophos Cloud Optix Azure AD app has been deleted or changed.

Create a new application secret in Microsoft Azure, then use it for your Azure environment in Sophos Cloud Optix. For more details see Create new Azure secret.

The Sophos Cloud Optix app has been deleted from your Azure AD tenant.

Add the environment to Sophos Cloud Optix again.

Your Azure subscription permissions have been revoked.

Add the environment again.

The access token is from the wrong issuer.

Your subscription has been transferred to another tenant. Add the environment again.

The subscription could not be found.

Verify that the subscription is valid. Add the environment again.

GCP synchronization failures

Failure reason

Solution

API disabled.

You must turn on the following APIs in your Google account for Sophos Cloud Optix:

container.googleapis.com

cloudbuild.googleapis.com

cloudapis.googleapis.com

admin.googleapis.com

stackdriver.googleapis.com

sqladmin.googleapis.com

storage-api.googleapis.com

cloudbilling.googleapis.com

cloudresourcemanager.googleapis.com

compute.googleapis.com

cloudkms.googleapis.com

dns.googleapis.com

logging.googleapis.com

cloudfunctions.googleapis.com

monitoring.googleapis.com

storage-component.googleapis.com

Permissions revoked.

Add the environment to Sophos Cloud Optix again.

Sophos Cloud Optix service account deleted.

Add the environment again.