Troubleshooting guide

What You Need to Know Before You Start Troubleshooting

To properly troubleshoot the Access Gateway, you must meet the following prerequisites:

What Problem Are You Experiencing?

Compare the error you’ve received with this list, and click the appropriate problem description below:

 

How to Monitor Logs

 

  1. Log in to the Access Gateway and open a terminal window. The default credentials are given below:
    • Username: oag-mgmt
    • Password: OktaMgmt@123


  2. Select 4-Monitoring from the Management Console menu
  3. Select 1- Monitor Logs from the Monitoring Menu

HTTP Status Codes

Access Gateway and other applications return the following status codes to the browser during any event. They are also captured in the access log for troubleshooting issues.

 

Status Code Description
200 Success
400 Application is being called using IP address or the hostname is not being served by Gateway
401 Session does not exist
403 Policy rule denied access to resource
404 Unknown page, content or resource
405 Session integrity failure
500 Server-side error
502 Backend application is not available
503 Application is in maintenance, inactive, or offline mode
504 Request to backend application timed out

How Do I Find My Status Code?

The Access Gateway presents status codes as shown below:

Note

  • HTTP status codes visible in the browser could be returned from a backend application, which could be misleading. In case of any HTTP errors, all HTTP status codes returned by Access Gateway are displayed as user friendly error messages on the page along with Access Gateway branding in the header and footer sections (see the screenshot above for an example).

  • The example screenshot below is an example of a generic error message, not a message generated by the Access Gateway. This type of generic error message will look different for every application. If the page is not an Access Gateway page, it indicates which HTTP status code is being returned by the application protected by Access Gateway (see the example “Error 500” screenshot below for an example).

Some status codes are caused by a backend application error and need to be investigated on the application side.

Steps to capture an HTTP status code:

Note

In some cases, and depending on the application or error, the end user may not see an Access Gateway error screen, and a status code must be collected from the browser. Follow these steps to capture a status code using the browser developer tools.

  1. Open a new browser window.

  2. Right-click the page, and click Inspect to open Developer Tools.

  3. Click the Network tab.

  4. Enter the URL you want to test, and press Enter.

  5. Complete the login process if required.

  6. Capture the status code of the page in question. See the image below for more information.

Note

The steps shown above to open Developer Tools are applicable to Google Chrome. In IE, Developer Tools can be opened by pressing F12.

Tracking ID

In case of an internal server error, Access Gateway generates a tracking ID that is displayed on the error page. This tracking ID can be used to identify the event and corresponding log messages from the log files while troubleshooting.

If the error page has a tracking ID, you can click the Tracking ID button to copy the tracking ID and the associated error message provided in the log. This message contains important information that can help you troubleshoot the issue.

Log Statement


Gateway host:[<host URL>]referer:[<IDP SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. URL>]error:[Login Error] tracking ID:[6eff1f9ca3] details:[Requester/RequestDenied: Could not validate the following SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. AuthnRequest from partner Test App: ]

What Problem Are You Experiencing?

Status Code 400

Unknown Host Status

The requested host: <Requested Hostname> is not being served by this Access Gateway.

Possible Cause

The DNS record resolves to the Access Gateway, and there is no service or application available on the Access Gateway with the corresponding host name.

Log Statement


Mar 7 15:26:26 localhost.localdomain icsDefault443Access <host URL> <IP ADDRESS> - - [07/Mar/2018:15:26:26 -0600] "GET / HTTP/1.1" 400 1992 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "-" 0.035 0.035

Fix/Validation Steps

  1. Check that you are using the correct URL.
  2. Check that the Public DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). field in Access Gateway application is correct.

  3. Check that your DNS or local hosts file correctly addresses the hostname and IP address.

  4. Check that your application is configured properly with the relevant hostname.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 403

Access Denied to Resource

Access to resource <Requested Resource> in application “Requested Applications” has been denied.

Possible Cause

The Access Gateway returns this status code when the policy engine denies access to a protected resource. You might receive this status code if there is a condition where certain access to a resource is intentionally prohibited.

Log Statement


Mar 7 15:36:22 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_id="aa3b92617708c430ad74acbd6b1cf23f4809b48141" SUBJECT="<User login ID>" RESOURCE="/test" METHOD="GET" POLICY="test" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="<Application name / description>" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="DENY" REASON="GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.=(?!.*Everyone:) - SESSIONID=_aa3b92617708c430ad74acbd6b1cf23f4809b48141 RelayDomain=<Relay domain URL> static1=static1 secret=secretvalue spgw_username=<User ID> UserName=<User ID> spgw_username=<User ID> cloud:identity:domain=<IDP tenant subdomain> workEmail=<User work email attribute> cloud:identity:tenant=<IDP tenant subdomain> givenName=<User first name> familyName=<User last name> email=<User email> SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.1.4 USER_AGENTA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 creationTime=1520458088124 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1520458092027 " REMOTE_IP="<IP Address>" USER_AGENT="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] deny access to resource

Fix/Validation Steps

  1. Verify this is indeed an error and not an intentional denied resource
  2. Verify and fix the defined policy in the Access Gateway application.

  3. Verify that the user is allowed access by the policy.

  4. Contact Support if the application resource is still inaccessible.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 404

Resource Not Found

The page you are trying to access does not exist.

Possible Cause

The Access Gateway returns this status code when the requested resource is unavailable.

Log Statement


Apr 5 03:59:57 oag01 icsIcsgwAccess <Gateway domain> <Gateway IP address> - - [05/Apr/2018:03:59:57 -0500] "GET / HTTP/1.1" 404 1922 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<Gateway IP address>" 0.019 0.019

Fix/Validation Steps

  1. Check the URL to make sure it is correct, and ensure that the resource still exists and is pointed toward the correct location.
  2. If resource is inaccessible, contact Support.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 405

Access Denied

The Access Gateway has detected an anomaly in user access to the <Requested Application>.

Possible Cause

The Access Gateway will return this status code when it detects a possible issue with session integrity to prevent sessions from being hijacked. This can also happen when a user switches networks with an active session in place.

Log Statement


Apr 2 15:19:32 ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_id="0e53b206b5aa2d8b93cdf7f48c4c5ca51e2eeff494" SUBJECT="<User ID>" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="DENY" REASON="SESSION_INTEGRITY_REMOTEIP_MISMATCH" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] SRF Request RemoteIP (http_x_real_ip): <User IP address> failed to match session RemoteIP: <Remote IP address> Apr 2 15:19:32 IDPsampleheaderapp1 <App domain URL> <User IP address> - - [02/Apr/2018:15:19:32 -0500] "GET / HTTP/1.1" 405 2050 "<IDP SSO URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<User IP address>" 0.010 0.010.

Fix/Validation Steps

  1. Verify with the user if they changed networks during an active session with Access Gateway.
  2. If step 1 is confirmed, the user must restart the browser and log in again to create a new session.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 413

Request Entity Too Large Code

The Access Gateway will display error 413 if the file being uploaded is greater than 1MB.

Possible Causes

By default, the Access Gateway is set to allow file uploads that are less than 1MB in size.

Fix/Validation Steps

  1. Use the developer tools to confirm that the HTTP status code being returned by the Access Gateway is 413
  2. To increase the file upload limit, click the Applications tab.

  3. Click the Edit App icon for the corresponding application.

  4. Open the Advanced dropdown menu within the application.

  5. Slide the Maximum File Upload Size Adjuster to an appropriate size.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 500

Internal Server Error

An unexpected server error has occurred. The error has been logged. Please contact your support service if you face this error message.

Possible Cause

Error in an Access Gateway component.

Log Statement


Apr 2 22:53:10 IDPsampleheaderapp1 2018/04/02 22:53:10 [info] 26875#0: *3909 client closed connection while waiting for request, client: 192.168.10.20, server: 0.0.0.0:443Apr 2 22:53:10 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:22:53:10 -0500] "GET /GOPYX48z5/module.php/icsgw/as_login.php?AuthId=k3x6WX20E&ReturnTo=https://<App domain URL> HTTP/1.1" 302 2707 "<Gateway domain URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.006

Fix/Validation Steps

Contact Support to investigate the issue.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 502

Application is Not Responding

The backend web application <Requested Application> is not receiving user requests from the Access Gateway and not available for usage.

Possible Cause

The Access Gateway will return this error when it fails to connect to the backend application it is protecting.

Log Statement


Apr 5 04:01:38 oag01 icsadmin <Gateway domain URL> <IP address> - - [05/Apr/2018:04:01:38 -0500] "GET / HTTP/1.1" 502 2130 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.000, 0.000 : 0.005
.

Fix/Validation Steps

  1. Ensure the app is working and the protected URL specified in the Access Gateway is reachable.
  2. Ensure the DNS record is resolvable.

  3. Ensure the backend application is reachable from the server that hosts the Access Gateway appliance using the troubleshooting tools in the Appendix.

  4. If using a load balancing solution, individually verify if all or one of the Access Gateway appliances are causing the issue.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 503

Application Not Activated

Application <Requested Application> has been disabled and is not available for usage.

Note

Any of these 503 status codes might display if an administrator has chosen to temporarily remove access to an application. Likewise, the application will also be disabled in IDP. Before editing any settings in the Access Gateway AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI, confirm the application status with the application owner or appropriate manager.

Possible Cause

The Access Gateway will show this warning page when an application has been marked as inactive.

Log Statement


Mar 7 16:56:39 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="INACTIVE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource.

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.

  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Inactive.

  4. Edit the Application.

  5. Change the application status to Application is Active.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application is in Maintenance

The application <Requested Application> is temporarily not available for usage.

Possible Cause

The Access Gateway will show this warning page when an application status has been changed to maintenance mode for any maintenance activity.

Log Statement


Mar 7 16:58:23 localhost ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="ACTIVE_MAINT" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.
  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Maintenance.

  4. Ensure that maintenance on the application is complete and the backend application is available.

  5. Edit the application.

  6. Change the application status to Application is Active when the application maintenance is complete.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application is Offline

The application <Requested Application> is not functioning correctly and has been taken offline. This outage has been logged.

Possible Cause

The Access Gateway shows this warning when it detects potential errors with an application configuration and marks it offline.

Log Statement


Apr 2 15:02:33 ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/favicon.ico" METHOD="GET" POLICY="ACTIVE_OFFLINE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"] allow access to resource Apr 2 15:02:33 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:15:02:33 -0500] "GET /favicon.ico HTTP/1.1" 503 2063 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "-" 0.011 0.011

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.
  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Offline.

  4. Edit the application.

  5. Change the application status to Application is Active after fixing the application configuration error.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 504

Access Gateway Timeout

The 504 Gateway Timeout is an Oracle EBS Integration timeout error.

Possible Cause

The EBS registration is not working or has been erased from the instance. The application will not provide the GUID and the USER_ORCLGUID header will not appear in the Access Gateway Logs when debug is enabled.

Log Statement


Apr 2 15:49:53 oracleaccessgatetest1 <App domain URL> <App IP address> - - [02/Apr/2018:15:49:53 -0500] "GET /accessgate/ssologin HTTP/1.1" 504 2050 "<IDP federation response>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 1.017 1.002 : 0.008
>

Fix/Validation Steps

  1. 1. If EBS is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.
  2. Troubleshoot and fix the EBS application instance.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Timeout - Backend App

The backend web application <Requested Application> is not responding in a timely manner to user requests from the Access Gateway and/or not available for usage.

Possible Cause

The Access Gateway returns this error when it times out when trying to connect to an internal application it is protecting.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Render Failure

The application does not render if the backend application takes longer than 60 seconds to respond.

Possible Cause

The Access Gateway is set to time out after 60 seconds when waiting for a response from the backend application.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host domain URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Timeout - Internal App

The backend web application <Requested Application> is not receiving user requests from the Access Gateway and not available for usage.

Possible Cause

The Access Gateway returns this error when it times out while trying to connect to an internal application it is protecting.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Server domain URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Login Error

Error being generated while logging in to an application.

Note

For login errors, a TRACKER_ID will be assigned to each issue. Evidence of this can be seen in the log statements below.

Time is not in sync.

Log Statement 1


Apr 3 14:20:18 accessgw01 ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="882d8b2faf" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Requester/RequestDenied: Could not validate the following SAML AuthnRequest from partner <Access Gateway Application Name>:

Fix/Validation Steps 1

  1. Log in to the Access Gateway Admin UI.
  2. Select the Settings tab.

  3. Select Advanced.

  4. Verify that the time is correct.

  5. If the time is not correct, click Resync.

  6. Click the refresh button to refresh system time and verify that it is current.

  7. Test the application to determine if time is synchronized correctly.

Log Statement 2


Apr 3 14:20:09 oag01 ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="882d8b2faf" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Received an assertion that is valid in the future. Check clock synchronization on IdP and SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process..

Fix/Validation Steps 2

  1. Log in to the Access Gateway Management Console.
  2. Select the Service option, and then select the NTP option.

  3. Choose the option to restart the NTP service.

  4. Check the time in Access Gateway web console.

  5. Test the application.

Log Statement 3


Apr 4 16:20:11 oag01 ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="d7703c136c" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Received an assertion that has expired. Check clock

Fix/Validation Steps 3

  1. Log in to the Access Gateway Management Console.
  2. Select the Service option, and then select the NTP option.

  3. Select the Set System Time option.

  4. Enter the time in MON DD YYYY HH:MI:SS AM/PM format.

  5. Check the time in the Access Gateway Admin UI and ensure it matches.

  6. Test the application.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Browser does not trust the domain and does not posts SAML request

Note

This error can occur if a user keeps re-posting SAML assertions or if an error occurs in the process of accepting a self-signed SSL certificate.

Log Statement


Apr 04 14:19:44 ACCESS ERROR [3137b1cb3f] Caused by: Exception: Unable to find the current binding.

Fix/Validation Steps 1

  1. Open the returned certificate.
  2. Check the validity of the certificate.

  3. If the certificate is not valid, request a new certificate and update it in Access Gateway using the Management Console.

  4. Test the application.

Fix/Validation Steps 2

  1. Check if the URL of the application is trusted by the browser.
  2. Add the URL of the application and all other Access Gateway endpoints under the trusted zone settings in the browser.

  3. Restart the browser.

  4. Test the application.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Unexpected Appliance Behavior

Possible Cause

The browser cache can cause unexpected behaviors to occur in applications or the Access Gateway.

Fix/Validation Steps

  1. Clear the browser cache and retest.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Multiple Application Certificate Errors

  1. When accessing an application, the browser is showing a certificate warning and takes the user to the application once the user clicks the proceed link.

  2. The application fails to open and user receives an Access Gateway error screen.

  3. The application works normally if it is opened in the same browser session as used previously.

    Possible Cause

    • This can happen when a browser does not trust the certificate. When the user clicks the proceed link, the browser does not post data to the SAML endpoint and the SAML assertion ends up failing.

    • Or, when the application is opened again in the same browser session, the browser trusts the URL the next time because it has permission from the user to trust the URL, so it posts the correct data to the SAML endpoint.

Fix/Validation Steps

Temporary Fix - Local System Only

Add the Access Gateway client certificate to the browser’s trust store. Here is an example for Internet Explorer:

  1. From the application page, open the certificate in the browser and export it to the local machine.
  2. Open Internet Options.
  3. Go to the Content tab.
  4. Click Certificates.
  5. In the pop up window, go to Trusted Root Certification Authorities.
  6. Click Import**.
  7. Click Next → Next → Finish*.
  8. Click Yes in the security warning window to proceed with the installation.
  9. Click OK and close all open windows.
  10. Restart the machine if it still does not work.
  11. Retest the login

Permanent Fix - For All Systems

  1. Procure a valid certificate.
  2. Update the certificate on the Access Gateway appliance.

  3. Update the certificate on the load balancer if it is presenting the certificate.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Redirect Looping

Internet Explorer can experience opening/closing of tabs or redirecting in a loop.

Possible Cause 1

The browser does not trust the application or the Access Gateway endpoints.

Fix/Validation Steps 1

  1. Add the Access Gateway hostname endpoint and application endpoint URLs to the Trusted Zone settings in IE settings.

Possible Cause 2

If you are using a load-balanced solution, the browser resolves the Access Gateway hostname to one node and the application public domain to another node.

Fix/Validation Steps 2

  1. Verify that the load balancer enforces sticky sessions.
  2. Ping the Access Gateway Hostname and the Application Public Domain to verify that they are resolving to different IP Addresses.

  3. Update the local hosts file or DNS entry to match the correct IP Addresses.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Invalid IDP API Key

Possible Cause

The IDP API token has been deleted from IDP.

Fix/Validation Steps

  1. Create a new IDP API token in IDP under Security → API Menu.
  2. Update the API Key in the Access Gateway under Setting → Identity Providers.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

App Name is Out of Sync

<App Name> is out of sync with IDP. Would you like to recreate this application is <IDP OrgThe Okta container that represents a real-world organization. name>?

Possible Cause
The application has been deleted from IDP.

Fix/Validation Steps

  1. Ensure that the API key used to configure the Access Gateway is still active. If not, continue with the following steps.
  2. Delete the existing application from Access Gateway.

  3. Confirm that the application is deleted from IDP before re-creating the app.

  4. Add the application again in the Access Gateway.

  5. Ensure that the application has been created in IDP.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Site Can Not Be Reached/Displayed

Possible Cause

The browser is unable to reach the site. The root cause can be: The Application/Access Gateway service(s) is not running or DNS entry is missing.

Fix/Validation Steps

  1. Restart the Access Gateway service(s)/backend app if it is not responding.
  2. Add required DNS entry in DNS or local hosts file.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Setup/App Creation Freezes

The progress indicator keeps spinning during initial setup or while creating an application in the Access Gateway.

Possible Cause

his happens when the Access Gateway fails to reach the designated IDP.

Log Statement

Mar 7 17:19:43 localhost.localdomain WEB_CONSOLE IOException occured validating IDP host :IDP login URL

Fix/Validation Steps

  1. Verify that the Access Gateway appliance is able to connect to IDP.
  2. Look for the component that is blocking the connection and allow the connection to IDP.

  3. Check the connectivity to the IDP from the Access Gateway.

  4. Ensure that the Client ID and Client Secret values are correct.

  5. Validate the IDP configuration in Access Gateway and save the settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

TLS Page Not Displaying

Possible Cause

This happens when a browser’s TLS security settings do not properly authenticate a secure connection with the Access Gateway.

Log Statement

Apr 16 10:55:41 test-oag icsDefault443Error 2018/04/16 10:55:41 [crit] 18480#0: *3047 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: Client IP address, server:0.0.0.0:443

Fix/Validation Steps

  1. In Internet Explorer, click the Settings menu.
  2. Select Internet Options.

  3. Click the Advanced tab.

  4. Scroll until you see the SSL/TLS settings under the Security section.

  5. Ensure that IE uses: TLS 1.1, 1.2, and 1.3.

  6. Click Apply.

  7. Click OK.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Appendix - Troubleshooting Tools

These tools can be used to investigate and resolve issues that occur on the Access Gateway, IDP, applications, the network, and in browsers.

Ping

Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.

Usage
ping <destination>

Sample output

root@localhost~]# ping localhost
PING localhost(192.168.0.211) 56(84) bytes of data.
	64 bytes from oag(192.168.0.211): icmp_seq=1 ttl=64 time=0.033 ms
	64 bytes from oag(192.168.0.211): icmp_seq=2 ttl=64 time=0.035 ms
	64 bytes from oag(192.168.0.211): icmp_seq=3 ttl=64 time=0.047 ms
	64 bytes from oag(192.168.0.211): icmp_seq=4 ttl=64 time=0.047 ms
	64 bytes from oag(192.168.0.211): icmp_seq=5 ttl=64 time=0.048 ms
	^C
	--- ping statistics ---
	5 packets transmitted, 5 received, 0% packet loss, time 4479ms
	tt min/avg/max/mdev = 0.033/0.042/0.048/0.006 ms

Error

In there is no response from the target host, most implementations of ping display nothing, or periodically print notifications about timing out. Possible ping outputs indicating a problem include the following:

  • H, !N, or !P — host, network, or protocol unreachable.

  • S — source route failed.

  • T — return time in milliseconds or 1/4 meters-second (normally in telephone meters per and in traffic control milli per second).

  • F — fragmentation needed.

  • U or !W — destination network/host unknown.

  • I — source host is isolated.

  • A — communication with destination network administratively prohibited.

  • Z — communication with destination host administratively prohibited.

  • Q — for this ToS, the destination network is unreachable.

  • X — communication administratively prohibited.

  • V — host precedence violation.

  • C — precedence cutoff in effect.

In case of an error, the target host or an intermediate router sends back an ICMP error message, such as “host unreachable” or “TTL exceeded in transit.” In addition, these messages include the first eight bytes of the original message (in this case, the header of the ICMP echo request, including the quench value), so the ping utility can match responses to originating queries.

NS Lookup

nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name, IP address mapping, or any other specific DNS records.

Usage
nslookup [-option] [name | -] [server]

Note Please see this page for more details on available options.

Sample output

[root@localhost~]# nslookup www.okta.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   www.okta.com
Address: 69.195.124.173

Error:
Here is sample output when nslookup fails to find the DNS record:
[root@localhost~]# nslookup unknown.host				Server:         8.8.8.8
		Address:        8.8.8.8#53
** server can't find oag: NXDOMAIN

Telnet

The telnet command is used for interactive communication with another host using the TELNET protocol. It begins in command mode where it prints a telnet command prompt (telnet>).

Usage
telnet <host> <port>

Sample output of a successful connection

[root@localhost~]# telnet somehost
Trying 192.168.0.211...
Connected to somehost.
Escape character is '^]'.
^C
Connection closed by foreign host.`

Sample output of a failed connection

[root@locahost~]# telnet unsupported.host
Trying 192.168.0.211...
telnet: connect to address 192.168.0.211: Connection refused

NOTE: In the example above, host somehost is listening on port 443, but not on port 445.

If telnet is not available on Windows, it can be enabled using these steps:

  1. Click Start → Control Panel.

  2. Click Programs and Features.

  3. Click Turn Windows features on or off.

  4. In the Windows Features dialog box, select the Telnet Client option.

  5. Click OK. The system installs the appropriate files. This will take a few seconds to a minute to complete.

NetCat

The nc (or netcat) utility is used for many tasks involving TCP, UDP, or UNIX-domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet, nc scripts nicely and separates error messages into standard errors instead of sending them to standard output like telnet does.

Usage
nc [options] <host> <port>

Example
Similar to telnet, nc can also be used to validate whether a host is listening on a specified port. Here are sample outputs of successful and failed connections:

Successful connection

[root@localhost~]# nc -v -z -w 1 somehost 443
Connection to somehost port 443 [tcp/https]succeeded!

Failed connection

[root@localhost~]# nc -v -z -w 1 somehost 445
nc: connect to somehost 445 (tcp) failed: Connection refused

Note: nc is only available on Unix, Linux, and Mac operating systems.

Access Gateway Sample Header Application

The sample header application is bundled with Access Gateway and can be used to validate the state of the environment and identify issues. The tests below can be performed using the sample header application to identify the root cause of some issues.

No. Component to Validate Validation Steps

1

Connectivity with IDP

  1. Add/Edit an application in Access Gateway.

  2. Access Gateway will fail to create/save the application if it fails to connect to IDP.

2

IDP API token

  1. Add/Edit an application in Access Gateway.

  2. Access Gateway will report an error if the IDP API key is not active.

3

IDP attributes

  1. Add/Edit the sample header app in Access Gateway.

  2. Add the required attribute in the Attributes tab, and pass it to the header.

  3. Open the sample header app and validate the value of the attribute.

4

Access Gateway

  1. Open the sample header application.

  2. This should redirect you to IDP for authentication (if IDP session does not exist and policy is set to protect the app).

  3. Any discrepancy in application flow points to an issue in the environment.

5

Application in IDP

This can be tested in 2 different ways.

Application chiclet in IDP:

  1. Log in to IDP.

  2. Click the application chiclet.

  3. This should redirect you to the application. If it does not, there is an issue in the environment.

Application URL in Access Gateway:

  1. Log in to the Access Gateway Admin UI.

  2. Go to the Applications tab.

  3. Right-click the Goto app button.

  4. Click Copy link address if using Chrome or Firefox, Copy Link if using Safari, or Copy shortcut if using Internet Explorer.

  5. Paste the URL in the address bar, and press Enter.

  6. This should take you to IDP for authentication before proceeding to the application. If you are not directed to the application after authentication, there is an issue with the environment.

6

Application in Access Gateway

  1. Open the public URL configured in Access Gateway Admin UI for the application in a browser window.

  2. This should take you to IDP for authentication before proceeding to the application. If you are not directed to the application after authentication, there is an issue with the environment.

Top