Salesforce provides a number of security mechanisms for protecting Org data.  The ability to limit the IP addresses that a user can log in from based on their Profile is a key one.  

Article outline

If Login IP ranges are set up for the profile of the Salesforce user who is authenticated, then 3 additional IPs have to be added to the IP range.  The reason for this is that Elements is logging in as the user from the Elements Servers.

If you are using our EU based instance (app.q9elements.com) the IPs are:

If you are using our US based instance (app.us.elements.cloud) the IPs are:

In the Session Settings (in the Org Setup) there is an option called "Enforce login IP ranges on every request".  If this is checked on, then as the name implies the IP is checked on every request, not just at login.

Because the Elements package makes REST API calls from Salesforce but executing under the user account that the sync runs under, the IP address is not the Elements one that the Salesforce server is running under.  The Salesforce IP addresses need to added to the Login IP range for the profile.  The IP addresses can be found in this Salesforce article: https://help.salesforce.com/articleView?id=000003652&type=1

There is another setting that effects the sync from Salesforce to Elements.  If the setting "Lock sessions to the IP address from which they originated" is checked the sync will fail. With this item checked, it is not possible to run the sync. 

https://help.salesforce.com/articleView?id=000335524&type=1&mode=1