Troubleshoot HTTP status codes

Access Gateway displays HTTP status codes on the Access Gateway Admin UI console to indicate when an operation didn't work as expected.

Access Gateway HTTP status codes are different from back-end application codes. If you see an HTTP status code outside of the Access Gateway Admin UI console, investigate it in the back-end application that produced it.

For other errors, see Troubleshoot miscellaneous issues.

Before you begin

To troubleshoot HTTP status codes, you must meet the following prerequisites:

  • You have admin access to your Okta org.
  • You have access to the Access Gateway Management console.
  • You can retrieve and monitor logs from network appliances and application servers.
  • You can identify an HTTP status code that appears in a log statement.

HTTP status codes and descriptions

Access Gateway and other applications return the following status codes to the browser during any event. They're also captured in the access log for troubleshooting issues.

HTTP Status Codes

Status Code Description

200

Success

302

Redirect

400

Access Gateway isn't serving the application that's being called by IP address or hostname.

401

The session doesn't exist.

403

A policy rule denied access to resource.

404

Unknown page, content, or resource.

405

Session integrity failure.

413

The request entity is too large.

500

Server-side error.

502

A back-end application isn't available.

503

The application is in maintenance, inactive, or in offline mode.

504

A request to a back-end application timed out.

Capture the HTTP status code

Sometimes, you might not see an Access Gateway error page, depending on the application or error type. If this happens, capture the HTTP status code from the browser using the browser developer tools.

See Google documentation for instructions. For other browsers, consult that browser's documentation for instructions.

Find the tracking ID

If there's an internal server error, Access Gateway generates a tracking ID. The tracking ID appears on the Access Gateway error page. You can use this tracking ID to identify the event and its corresponding log messages from the log files while troubleshooting.

Click Tracking ID to copy it and the associated error message provided in the log.

This is an example of a log statement with the tracking ID:

Gateway host:[<host URL>]referrer:[<IDP SSO URL>]error:[Login Error] tracking ID:[6eff1f9ca3] details:[Requester/RequestDenied: Could not validate the following SAML AuthnRequest from partner Test App: ]

Status code 400: Unknown Host Status

Message The requested host: <Requested Hostname> is not being served by this Access Gateway.
Description The DNS record resolves to the Access Gateway, and there's no service or application available on the Access Gateway with the corresponding host name.
Log statement example

Mar 7 15:26:26 localhost.localdomain icsDefault443Access <host URL> <IP ADDRESS> - - [07/Mar/2018:15:26:26 -0600] "GET / HTTP/1.1" 400 1992 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "-" 0.035 0.035

Validation and mitigation steps
  1. Verify that you're using the correct URL.
  2. Verify that the Public Domain field in the Access Gateway application is correct.
  3. Verify that your DNS or local hosts file correctly addresses the hostname and IP address.
  4. Verify that your application is configured properly with the relevant hostname.

Status code 403: Access Denied to Resource

Message Access to resource <Requested Resource> in application “Requested Applications” has been denied.
Description The Access Gateway returns this status code when the policy engine denies access to a protected resource. You might receive this status code if there's a condition where certain access to a resource is intentionally prohibited.
Log statement example

Mar 7 15:36:22 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_id="aa3b92617708c430ad74acbd6b1cf23f4809b48141"SUBJECT="<User login ID>" RESOURCE="/test" METHOD="GET" POLICY="test" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="<Application name/ description>" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) -SESSIONID=_aa3b92617708c430ad74acbd6b1cf23f4809b48141 RelayDomain=<Relay domain URL> static1=static1 secret=secretvalue spgw_username=<User ID> UserName=<User ID> spgw_username=<User ID> cloud:identity:domain=<IDP tenant subdomain> workEmail=<User work email attribute>cloud:identity:tenant=<IDP tenant subdomain> givenName=<User first name> familyName=<User last name> email=<User email> SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.1.4 USER_AGENT=Mozilla/5.0 (WindowsNT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 creationTime=1520458088124 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1520458092027 " REMOTE_IP="<IP Address>" USER_AGENT="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] deny access to resource

Validation and mitigation steps
  1. Verify that this is an error and not an intentional denied resource.
  2. Verify and fix the defined policy in the Access Gateway application.
  3. Verify that the user is allowed access by the policy.
  4. Contact Support if the application resource is still inaccessible.

Status code 404: Resource Not Found

Message The page you are trying to access does not exist.
Description The Access Gateway returns this status code when the requested resource is unavailable.
Log statement example

Apr 5 03:59:57 oag01 icsIcsgwAccess <Gateway domain> <Gateway IP address> - - [05/Apr/2018:03:59:57 -0500] "GET / HTTP/1.1" 404 1922"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<Gateway IP address>" 0.019 0.019

Validation and mitigation steps
  1. Verify the URL, and ensure that the resource still exists and is pointed toward the correct location.
  2. If the resource is inaccessible, contact Okta Support.

Status code 405: Access Denied

Message The Access Gateway has detected an anomaly in user access to the <Requested Application>.
Description The Access Gateway returns this status code when it detects a possible issue with session integrity to prevent sessions from being hijacked. This can also happen when a user switches networks with an active session in place.
Log statement example

Apr 2 15:19:32 ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_id="0e53b206b5aa2d8b93cdf7f48c4c5ca51e2eeff494" SUBJECT="<User ID>" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>"RESULT="DENY" REASON="SESSION_INTEGRITY_REMOTEIP_MISMATCH" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] SRF Request RemoteIP(http_x_real_ip): <User IP address> failed to match session RemoteIP: <Remote IP address> Apr 2 15:19:32 IDPsampleheaderapp1 <App domain URL> <User IP address> - - [02/Apr/2018:15:19:32 -0500] "GET / HTTP/1.1" 405 2050 "<IDP SSO URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<User IP address>" 0.010 0.010.

Validation and mitigation steps
  1. Verify with the user if they changed networks during an active session with Access Gateway.
  2. If step 1 is confirmed, the user must restart the browser and log in again to start a new session.

Status code 413: Request Entity Too Large Code

Message The Access Gateway displays error 413 if the file being uploaded is larger than 1 megabyte.
Description By default, the Access Gateway is set to allow file uploads that are less than 1 megabyte.
Validation and mitigation steps
  1. Use the browser's developer tools to confirm that the HTTP status code returned by the Access Gateway is 413.
  2. To increase the file upload limit, click the Applications tab.
  3. Click the Edit App icon for the corresponding application.
  4. Open the Advanced dropdown menu within the application.
  5. Slide the Maximum File Upload Size Adjuster to an appropriate size.

Status code 500: Internal Server Error

Message An unexpected server error has occurred. The error has been logged. Contact your support service if you face this error message.
Description Error in an Access Gateway component.
Log statement example

Apr 2 22:53:10 IDPsampleheaderapp1 2018/04/02 22:53:10 [info] 26875#0: *3909 client closed connection while waiting for request, client: 192.168.10.20, server: 0.0.0.0:443Apr 2 22:53:10 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:22:53:10 -0500] "GET /GOPYX48z5/module.php/icsgw/as_login.php?AuthId=k3x6WX20E&ReturnTo=https://<App domain URL> HTTP/1.1" 302 2707 "<Gateway domain URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.006

Validation and mitigation steps Contact Okta Support.

Status code 502: Application is Not Responding

Message The backend web application <Requested Application> is not receiving user requests from the Access Gateway and is not available for usage.
Description Access Gateway returns this error when it fails to connect to the back-end application it's protecting.
Log statement example Apr 5 04:01:38 oag01 icsadmin <Gateway domain URL> <IP address> - - [05/Apr/2018:04:01:38 -0500] "GET / HTTP/1.1" 502 2130 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.000, 0.000 : 0.005
Validation and mitigation steps
  1. Ensure that the app is working and the protected URL specified in Access Gateway is reachable.
  2. Ensure that the DNS record is resolvable.
  3. Ensure that the back-end application is reachable from the server that hosts the Access Gateway appliance. See the cURL connectivity test section in Manage network interfaces.
  4. If using a load-balancing solution, individually verify whether any of the Access Gateway appliances are causing the issue.

Status code 503: Application is unavailable

Messages:
  • Application <Requested Application> has been disabled and isn't available for usage.
  • The application <Requested Application> is temporarily not available for usage.
  • The application <Requested Application> is not functioning correctly and has been taken offline. This outage has been logged.
Description

Access Gateway shows this warning page when an application has been disabled, hasn't been activated, is in maintenance mode, or has been taken offline.

If an administrator has temporarily removed access to an application, the application is also disabled in the Identity Provider. Verify the application status with the application owner or appropriate manager before you change any settings in the Access Gateway Admin UI console.
Log statement examples

The application has been disabled or is not activated:

Mar 7 16:56:39 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="INACTIVE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource.

The application is in maintenance:

Mar 7 16:58:23 localhost ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="ACTIVE_MAINT" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource

The application is offline:

Apr 2 15:02:33 ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/favicon.ico" METHOD="GET" POLICY="ACTIVE_OFFLINE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"] allow access to resource Apr 2 15:02:33 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:15:02:33 -0500] "GET /favicon.ico HTTP/1.1" 503 2063 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "-" 0.011 0.011
Validation and mitigation steps
  1. Open the Access Gateway Admin UI console.
  2. Click the Applications tab.
  3. Verify that the status of your application is Inactive, Maintenance, or Offline.
  4. Edit the application.
  5. Change the application status to Application is Active when the application comes back online, maintenance is complete, or after you fix the application configuration error.

Status code 504: Time-out errors

Messages:
  • The 504 Gateway Timeout error message is an Oracle E-Business Suite (EBS) integration timeout error.
  • The backend web application <Requested Application> is not responding in a timely manner to user requests from the Access Gateway and/or isn't available for usage.
  • The application doesn't render if the back-end application takes longer than 60 seconds to respond.
  • The backend web application <Requested Application> is not receiving user requests from the Access Gateway and not available for usage.
Description

These errors appear when Access Gateway times out when connecting to an internal application, waiting for a response from a back-end application, or if an Oracle EBS registration isn't working or has been erased from the instance.

If the Oracle EBS integration isn't working, the application doesn't provide the GUID, and the USER_ORCLGUID header doesn't appear in the Access Gateway logs when debug is enabled.
Log statement examples

Oracle EBS integration timeout error:

Apr 2 15:49:53 oracleaccessgatetest1 <App domain URL> <App IP address> - - [02/Apr/2018:15:49:53 -0500] "GET /accessgate/ssologin HTTP/1.1" 504 2050 "<IDP federation response>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 1.017 1.002 : 0.008

Back-end application timeout:

Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host URL>", referrer: "<Access Gateway Admin UI URL>"

Application render failure:

Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host domain URL>", referrer: "<Access Gateway Admin UI URL>"

Internal application timeout:

Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Server domain URL>", referrer: "<Access Gateway Admin UI URL>"
Validation and mitigation steps
  1. Verify that the application is responding.
  2. Verify that the application URL is reachable from the Access Gateway.
  3. Verify that the connection to the application isn't blocked at any stage.
  4. Test the connectivity to the back-end application from the Access Gateway.
  5. If the application or Oracle EBS is expected to take longer than 60 seconds to respond, change the response time:
    1. Go to Application Settings.
    2. From the Advanced dropdown menu, select Backend Timeout duration.
    3. Change the value to a longer timeout duration.
  6. If the issue is an Oracle EBS integration timeout error, troubleshoot and fix the Oracle EBS application instance.