The Okta Active Directory (AD) Agent disconnects and reports an offline status when it cannot retrieve the next action from Okta due to a connectivity issue. Resolve this issue by verifying the Okta service status and troubleshooting the local network environment. When this occurs, the AD Agent logs contain errors similar to the following:

2024/01/01 23:59:59.686-05:00 Error -- <SERVER_NAME>(17) -- Error retrieving next action
2024/01/01 23:59:59.686-05:00 Info -- <SERVER_NAME> at System.Net.HttpWebRequest.GetResponse()
at Okta.Api.RestClient.GetResponse(HttpWebRequest request)
at Okta.Api.RestClient.RequestObject(String method, Object obj, XmlSerializer inputSerializer, XmlSerializer outputSerializer, UriTemplate template, Nullable`1 timeout, String[] args)
at Okta.Api.RestClient.GetObject(XmlSerializer serializer, UriTemplate template, Nullable`1 timeout, String[] args)
at Okta.Api.OktaApi.GetNextAction(String instanceId, String agentId, String agentVersion)
at Okta.Agent.DelegateUtils.DoUntilSuccessOrAbort[T](Func`1 toDo, String errorMessage, Nullable`1 initialRetrySleep, Int32 maxRetrySleep, Int32 maxRetries)
System.Net.WebException received with message The operation has timed out Source=System InnerException=.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Okta AD Agent

This error indicates that the AD Agent cannot retrieve the next agent action from Okta. This typically occurs due to an issue with the agent connecting to the Okta service. The AD Agent regularly polls Okta on port 443 to retrieve actions for processing and to report agent status. If the agent cannot reach the Okta service for more than 120 seconds, Okta marks the AD Agent as disconnected until connectivity is restored.

How is the Okta AD Agent connectivity issue resolved?

To determine if any service or network issues occurred within Okta during the time period when the disconnect occurred, access the Okta Status site and review the current system status or service history. Issues reported on the status site contain details indicating whether the event impacted agent connectivity.

If the Okta Status site reports no relevant issues, the issue is environmental and is outside the scope of Okta Support. Troubleshoot the local environment by checking system events, restarting the server, verifying network configurations, and adjusting power settings, as outlined below.

1. Check the Windows Event Viewer around the time when the issue occurred for events indicating a larger issue affected the server or network.
2. Restart the AD Agent server. If the agent server requires updates or has not restarted recently, a restart often resolves the issue.
3. Check firewall and proxy resources to ensure that no traffic blocks communication to or from the AD Agent.
4. Ensure that all Okta IP addresses are added to the allowlist. Review the Okta IP Addresses to Allowlist for Inbound Traffic documentation for more information.
5. Consult with the Internet Service Provider (ISP) to determine if any service or connectivity issues affected the environment.
6. Perform a network capture to determine the source of the connectivity issue.
7. Monitor the AD Agent server resources, including CPU utilization and RAM usage. If the agent server resources are inadequate to process all requests, the server may report as offline. This is more likely relevant if the issue occurs only during peak hours.
8. If the disconnect event occurs during periods of low or no activity between Okta and AD, the Network Interface Card (NIC) may enter a sleep state. Remediate the issue by placing the NIC in High Performance Mode using the following steps.
   1. On the AD Agent server, navigate to Control Panel, select Hardware, and choose Power Options.
   2. Change the Preferred plans to High Performance.

Related References

• Okta IP Addresses to Allowlist for Inbound Traffic