Salesforce provides a number of security mechanisms for protecting Org data. The ability to limit the IP addresses that a user can login from based on their Profile is a key one.
Adding IPs to the Login IP ranges
If Login IP ranges are set up for the profile of the salesforce user who is authenticated then 3 additional IPs have to be added to the IP range. The reason for this is that Elements Catalyst is logging in as the user from the Elements Servers.
If you are using our EU based instance (app.q9elements.com) the IPs are:
If you are using our US based instance (app.us.elements.cloud) the IPs are:
Session Settings and Enforce login IP ranged on every request
In the Session Settings (in the Org Setup) there is an option called 'Enforce login IP ranges on every request'. If this is checked on then as the name implies the IP is checked on every request not just at login.
Because the Elements package makes REST API calls from Salesforce but executing under the user account that the sync runs under, the IP address is not the Elements one that the Salesforce server is running under. The Salesforce IP addresses need to added to the Login IP range for the profile. The IP addresses can be found in this Salesforce article:
Session Settings and Lock sessions to the IP address from which they originated
There is another setting that effects the sync from Salesforce to Elements. If the setting 'Lock sessions to the IP address from which they originated' is checked the sync will fail. With this item checked it is not possible to run the sync.
See this Salesforce article to understand the reasons: