Managing the Access Gateway support VPN

The support virtual private network (VPN) is enabled by default, but it can be enabled or disabled as required.


Known issue - incorrect VPN connectivity and proxy error message
When Allow Support Connection is enabled and a proxy is specified for Access Gateway, the following error message displays:

In addition an error is logged similar to:

2020-11-04T12:00:30.707-06:00 <hostname.domain.tld> CHECK_CONNECTION  SCRIPT ERROR NETCAT [USER="spgw"] Ncat: Version 7.70 ( )
				Ncat: Connection timed out.
The VPN is enabled and this error message can be ignored.


Known issue - Delay in displaying VPN enabled
When the support VPN is enabled underlying services must be started and connections validated. In some situations this may take longer than expected and the VPN will continue to show disabled.
When enabling the VPN, if the VPN still shows disabled, consider refreshing the page.

To enable or disable the Support VPN:

  1. Sign in to the Access Gateway Admin UI console.

  2. Select the Support tab.
  3. Use the Allow Support Connection toggle to enable or disable the support connection.


  4. Note

    Before enabling the support VPN you must define a valid identity provider. See Administer Identity Providers for more information.



Changes to VPN connection occur immediately on change. The VPN support connection can be enabled on demand to allow Okta Support access to an Access Gateway instance.
The Support VPN can also be enabled or disabled using the command line interface. See Support Connection.