Connectrix MDS: OnPrem Network Sync Fails "Error Checking for Token Expiration-400 Bad Request"

Summary: OnPrem Network sync fails with "Error When Checking for Token Expiration-400 Bad Request"

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

SSM OnPrem server version:  9-202507

OnPrem Network or Scheduled sync is failing with error:

"Error When Checking for Token Expiration 784: unexpected token at '<html> <head><title>400 Bad Request<title><head> <body> <center>
400 Bad Request
<center> <hr><center>nginx/1.29.1<center> <body> <html> '"

Error screen message

Cause

This is due to migration of Identity Provider (IDP) from Ping to Okta. 

Since the existing tokens are issues by IDP Ping, these tokens are not valid in the Okta service causing sync to fail. If any OnPrem accounts are created after this migration, Okta issues the tokens and this issue is not seen. 

This is not an issue on the OnPrem. This migration to Okta affects all OnPrem servers. 

Resolution

Conditions:
OnPrem sync performed with Network or Scheduled and the database has Access Tokens prior to the Ping to Okta Migration.

Cisco Issue ID: CSCwr45134

Workaround 1:

  1. Create a new OnPrem Account
Log in to the OnPrem Admin Workspace portal > Go to the Accounts widget.
Create a new OnPrem account, and approve the request by providing your credentials. This action generates a new token with Okta (our new IDP), enabling continued functionality. Once the account creation is complete, perform a full network sync on the failing accounts.
Keep in mind that you do not perform any action with this account, no device transfer, or registration to CSSM. It is only to refresh the internal token all OnPrem accounts use to talk to the cloud.
  1. Manual Synchronization:
As an alternative to network synchronization, you can perform a manual synchronization, which only fixes the issue for a one-time resolution. This is not a permanent fix.
  1. Not consistent but awaiting token expiration is another option
The issue is expected to resolve automatically after some days (28, 160, 180, and so forth), once the old Ping token cached in our container expires. You may choose to wait for this automatic resolution.

Workaround 2:
Apply the script for clearing up tokens (attached to the article).

  • Take a VM snapshot and backup onprem-console database_backup before applying the workaround.
  • Transfer the attached files under var/files/patches by using WinSCP
  • Run the below command:
Upgrade patches: sync_issue_token_cleanup.sh
  • Run a network sync with CCO admin credentials.
 
Note: After applying the script, if SSM OnPrem is not synced at least every 9-hours (for example, before the 10-hour expiry), the sync starts failing again. In such cases, the only workaround is to reapply the script and continue syncing every 9 hours or less.

Additional Information

Related Cisco Issue ID: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr45134 This hyperlink is taking you to a website outside of Dell Technologies.

Affected Products

Connectrix MDS-9148T
Article Properties
Article Number: 000376216
Article Type: Solution
Last Modified: 06 Nov 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.