This article contains a summary of how you can ensure Sonar syncs properly with Salesforce even if you have strict IP Restrictions.
In some cases, the sync between Sonar and Salesforce will fail due to IP restrictions in Salesforce. The sync fails because the refresh token that Sonar sends during sync is revoked because the IP address is not in a trusted range. This can also be compounded with the fact that Sonar's IP address comes from a wide range of addresses and not one single IP address because Sonar is set up on AWS.
The way to continue to enforce the IP restrictions but enable the sync with Sonar and Salesforce is to update the Sonar connected app in Salesforce and relax the IP Restrictions for the refresh tokens only.