Error when Syncing secrets from CyberArk Vault to DAP

We are getting the below error in Vault Synchronizer logs and it’s not synchronizing any of the secrets from CyberArk Vault to DAP Vault.

ERROR VaultConjurSynchronizer.Flows.FirstLoadSyncFlow - VCSS017E Failed to fetch synched accounts metadata from Conjur with exception of type System.IndexOutOfRangeException and message Index was outside the bounds of the array.

Detailed Error:
2020-12-21 23:09:34,600 [4] [main] INFO VaultConjurSynchronizer.Conjur.ConjurHandlerFactory - VCSS021I Synchronizer is running with Conjur version: [5.11.0]
2020-12-21 23:09:34,602 [4] [main] INFO VaultConjurSynchronizer.Conjur.ConjurHandler - VCSS011I Init Conjur REST client and authenticate. ApplianceUrl: [https://stg-dapcentral.company.local/api], Conjur host name: [host/Sync_USAEA1DAPWESC01], Conjur account: [Experian] - start
2020-12-21 23:09:34,629 [4] [main] INFO VaultConjurSynchronizer.Conjur.ConjurHandler - VCSS011I Init Conjur REST client and authenticate. ApplianceUrl: [https://stg-dapcentral.company.local/api], Conjur host name: [host/Sync_USAEA1DAPWESC01], Conjur account: [Experian] - end
2020-12-21 23:09:34,631 [4] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS001I Vault-Conjur Synchronizer initialization - start
2020-12-21 23:09:34,631 [4] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS025I The Vault protocol version is 10.10
2020-12-21 23:09:34,691 [4] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS015I Found [1] LOBs from Vault named: [LOB_AWS]
2020-12-21 23:09:34,691 [4] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS018I Will start synchronizing [1] LOBs named: [LOB_AWS]
2020-12-21 23:09:34,692 [4] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS001I Vault-Conjur Synchronizer initialization - end
2020-12-21 23:09:34,696 [4] [main] INFO VaultConjurSynchronizer.Service.SynchronizerService - VCSS012I Starting CyberArk Vault-Conjur Synchronizer Service - end
2020-12-21 23:09:35,699 [9] [main] INFO VaultConjurSynchronizer.Synchronizer - VCSS003I Refreshing accounts from the vault - start
2020-12-21 23:09:36,250 [10] [LOB_AWS] INFO VaultConjurSynchronizer.Flows.FirstLoadSyncFlow - VCSS020I Fetching synced accounts metadata from Conjur - start
2020-12-21 23:09:36,328 [10] [LOB_AWS] ERROR VaultConjurSynchronizer.Flows.FirstLoadSyncFlow - VCSS017E Failed to fetch synched accounts metadata from Conjur with exception of type System.IndexOutOfRangeException and message Index was outside the bounds of the array.

Hi,
Can you please turn on debug log level, follow those instructions
See log4net > root > level and change it to DEBUG

Then reply with log output as you did now :slight_smile:

Is it your first time running Synchronizer on this deployment of Conjur? It looks like an issue while fetching data from Conjur that will only be present if a synchronization already happened once

Thanks,
Dvir

Hi.
I have the same problem. I have Conjur Enterprise, it has been working in production for over a year. The problem (with only one LOB, the other three synchronize without any problems) appeared after restarting the server with Vault Synchronizer (after installing updates).

Below is the synchronizer log with the debug flag enabled:

2021-11-28 00:54:03,015 [9] [LOBUser_PROD1] DEBUG VaultConjurSynchronizer.Lob - VCSS019D Lob LOBUser_PROD1 state changes from DuringSynchronization to CouldExistInConjur
2021-11-28 00:54:03,015 [9] [LOBUser_PROD1] ERROR VaultConjurSynchronizer.Flows.FirstLoadSyncFlow - VCSS017E Failed to fetch synched accounts metadata from Conjur with exception of type System.IndexOutOfRangeException and message Index was outside the bounds of the array.
2021-11-28 00:54:03,015 [9] [LOBUser_PROD1] DEBUG VaultConjurSynchronizer.Flows.FirstLoadSyncFlow - VCSS017E Failed to fetch synched accounts metadata from Conjur
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at VaultConjurSynchronizer.Entities.ConjurVariable..ctor(Variable variable)
at VaultConjurSynchronizer.Conjur.ConjurHandler.<>c.<ListVariablesAsRole>b__13_0(Variable v)
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at VaultConjurSynchronizer.Conjur.ConjurHandler.ListVariablesAsRole(String role, String name)
at VaultConjurSynchronizer.Flows.FirstLoadSyncFlow.BuildAccountsDictionaryFromConjur(Lob lob)
at VaultConjurSynchronizer.Flows.FirstLoadSyncFlow.RunInternal(Lob lob, MICASession masterSession)

Everything was working fine before restarting the vault synchronizer server.

Thanks,
Łukasz

Hi Lukasz,
@DvirL mentioned this looks like this issue has been fixed in the latest images. What version are you using?

Thanks - Rob

Thanks for reply, 11.7.
I even have an open case on this issue.
I will let you know what the answer will be.

Lukasz

The credentials synced from Vault are as follows:
/VAULT/LOB/SAFE/ACCOUNT_NAME/username
/VAULT/LOB/SAFE/ACCOUNT_NAME/password

I set up a variable directly in Conjur:
/VAULT/LOB/SAFE/var

For this reason, synchronization for the entire LOB was not successful. Deleting the above variable restored synchronization.

This happens in version 11.7.