Troubleshooting guide

What You Need to Know Before You Start Troubleshooting

To properly troubleshoot the Access Gateway, you must meet the following prerequisites:

  • Administrator access to the IDP Client.

  • Access to the Access Gateway Management Console.

  • Knowledge of how to retrieve and monitor logs from network appliances, application servers, etc.

  • Knowledge of how to identify an HTTP status code that appears in a log statement.

What Problem Are You Experiencing?

Compare the error you’ve received with this list, and click the appropriate problem description below:

 

How to Monitor Logs

 

  1. Log in to the Access Gateway and open a terminal window. The default credentials are given below:
    • Username: oag-mgmt
    • Password: OktaMgmt@123


  2. Select 4-Monitoring from the Management Console menu
  3. Select 1- Monitor Logs from the Monitoring Menu

HTTP Status Codes

Access Gateway and other applications return the following status codes to the browser during any event. They are also captured in the access log for troubleshooting issues.

 

Status Code Description
200 Success
400 Application is being called using IP address or the hostname is not being served by Gateway
401 Session does not exist
403 Policy rule denied access to resource
404 Unknown page, content or resource
405 Session integrity failure
500 Server-side error
502 Backend application is not available
503 Application is in maintenance, inactive, or offline mode
504 Request to backend application timed out

How Do I Find My Status Code?

The Access Gateway presents status codes as shown below:

Note

  • HTTP status codes visible in the browser could be returned from a backend application, which could be misleading. In case of any HTTP errors, all HTTP status codes returned by Access Gateway are displayed as user friendly error messages on the page along with Access Gateway branding in the header and footer sections (see the screenshot above for an example).

  • The example screenshot below is an example of a generic error message, not a message generated by the Access Gateway. This type of generic error message will look different for every application. If the page is not an Access Gateway page, it indicates which HTTP status code is being returned by the application protected by Access Gateway (see the example “Error 500” screenshot below for an example).

Some status codes are caused by a backend application error and need to be investigated on the application side.

Steps to capture an HTTP status code:

Note

In some cases, and depending on the application or error, the end user may not see an Access Gateway error screen, and a status code must be collected from the browser. Follow these steps to capture a status code using the browser developer tools.

  1. Open a new browser window.

  2. Right-click the page, and click Inspect to open Developer Tools.

  3. Click the Network tab.

  4. Enter the URL you want to test, and press Enter.

  5. Complete the login process if required.

  6. Capture the status code of the page in question. See the image below for more information.

Note

The steps shown above to open Developer Tools are applicable to Google Chrome. In IE, Developer Tools can be opened by pressing F12.

Tracking ID

In case of an internal server error, Access Gateway generates a tracking ID that is displayed on the error page. This tracking ID can be used to identify the event and corresponding log messages from the log files while troubleshooting.

If the error page has a tracking ID, you can click the Tracking ID button to copy the tracking ID and the associated error message provided in the log. This message contains important information that can help you troubleshoot the issue.

Log Statement


Gateway host:[<host URL>]referer:[<IDP SSO URL>]error:[Login Error] tracking ID:[6eff1f9ca3] details:[Requester/RequestDenied: Could not validate the following SAML AuthnRequest from partner Test App: ]

What Problem Are You Experiencing?

Status Code 400

Unknown Host Status

The requested host: <Requested Hostname> is not being served by this Access Gateway.

Possible Cause

The DNS record resolves to the Access Gateway, and there is no service or application available on the Access Gateway with the corresponding host name.

Log Statement


Mar 7 15:26:26 localhost.localdomain icsDefault443Access <host URL> <IP ADDRESS> - - [07/Mar/2018:15:26:26 -0600] "GET / HTTP/1.1" 400 1992 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36" "-" 0.035 0.035

Fix/Validation Steps

  1. Check that you are using the correct URL.
  2. Check that the Public Domain field in Access Gateway application is correct.

  3. Check that your DNS or local hosts file correctly addresses the hostname and IP address.

  4. Check that your application is configured properly with the relevant hostname.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 403

Access Denied to Resource

Access to resource <Requested Resource> in application “Requested Applications” has been denied.

Possible Cause

The Access Gateway returns this status code when the policy engine denies access to a protected resource. You might receive this status code if there is a condition where certain access to a resource is intentionally prohibited.

Log Statement


Mar 7 15:36:22 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_id="aa3b92617708c430ad74acbd6b1cf23f4809b48141" SUBJECT="<User login ID>" RESOURCE="/test" METHOD="GET" POLICY="test" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="<Application name / description>" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) - SESSIONID=_aa3b92617708c430ad74acbd6b1cf23f4809b48141 RelayDomain=<Relay domain URL> static1=static1 secret=secretvalue spgw_username=<User ID> UserName=<User ID> spgw_username=<User ID> cloud:identity:domain=<IDP tenant subdomain> workEmail=<User work email attribute> cloud:identity:tenant=<IDP tenant subdomain> givenName=<User first name> familyName=<User last name> email=<User email> SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.1.4 USER_AGENT=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 creationTime=1520458088124 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1520458092027 " REMOTE_IP="<IP Address>" USER_AGENT="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] deny access to resource

Fix/Validation Steps

  1. Verify this is indeed an error and not an intentional denied resource
  2. Verify and fix the defined policy in the Access Gateway application.

  3. Verify that the user is allowed access by the policy.

  4. Contact Support if the application resource is still inaccessible.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 404

Resource Not Found

The page you are trying to access does not exist.

Possible Cause

The Access Gateway returns this status code when the requested resource is unavailable.

Log Statement


Apr 5 03:59:57 oag01 icsIcsgwAccess <Gateway domain> <Gateway IP address> - - [05/Apr/2018:03:59:57 -0500] "GET / HTTP/1.1" 404 1922 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<Gateway IP address>" 0.019 0.019

Fix/Validation Steps

  1. Check the URL to make sure it is correct, and ensure that the resource still exists and is pointed toward the correct location.
  2. If resource is inaccessible, contact Support.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 405

Access Denied

The Access Gateway has detected an anomaly in user access to the <Requested Application>.

Possible Cause

The Access Gateway will return this status code when it detects a possible issue with session integrity to prevent sessions from being hijacked. This can also happen when a user switches networks with an active session in place.

Log Statement


Apr 2 15:19:32 ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_id="0e53b206b5aa2d8b93cdf7f48c4c5ca51e2eeff494" SUBJECT="<User ID>" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="DENY" REASON="SESSION_INTEGRITY_REMOTEIP_MISMATCH" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] SRF Request RemoteIP (http_x_real_ip): <User IP address> failed to match session RemoteIP: <Remote IP address> Apr 2 15:19:32 IDPsampleheaderapp1 <App domain URL> <User IP address> - - [02/Apr/2018:15:19:32 -0500] "GET / HTTP/1.1" 405 2050 "<IDP SSO URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<User IP address>" 0.010 0.010.

Fix/Validation Steps

  1. Verify with the user if they changed networks during an active session with Access Gateway.
  2. If step 1 is confirmed, the user must restart the browser and log in again to create a new session.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 413

Request Entity Too Large Code

The Access Gateway will display error 413 if the file being uploaded is greater than 1MB.

Possible Causes

By default, the Access Gateway is set to allow file uploads that are less than 1MB in size.

Fix/Validation Steps

  1. Use the developer tools to confirm that the HTTP status code being returned by the Access Gateway is 413
  2. To increase the file upload limit, click the Applications tab.

  3. Click the Edit App icon for the corresponding application.

  4. Open the Advanced dropdown menu within the application.

  5. Slide the Maximum File Upload Size Adjuster to an appropriate size.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 500

Internal Server Error

An unexpected server error has occurred. The error has been logged. Please contact your support service if you face this error message.

Possible Cause

Error in an Access Gateway component.

Log Statement


Apr 2 22:53:10 IDPsampleheaderapp1 2018/04/02 22:53:10 [info] 26875#0: *3909 client closed connection while waiting for request, client: 192.168.10.20, server: 0.0.0.0:443Apr 2 22:53:10 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:22:53:10 -0500] "GET /GOPYX48z5/module.php/icsgw/as_login.php?AuthId=k3x6WX20E&ReturnTo=https://<App domain URL> HTTP/1.1" 302 2707 "<Gateway domain URL>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.006

Fix/Validation Steps

Contact Support to investigate the issue.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 502

Application is Not Responding

The backend web application <Requested Application> is not receiving user requests from the Access Gateway and not available for usage.

Possible Cause

The Access Gateway will return this error when it fails to connect to the backend application it is protecting.

Log Statement


Apr 5 04:01:38 oag01 icsadmin <Gateway domain URL> <IP address> - - [05/Apr/2018:04:01:38 -0500] "GET / HTTP/1.1" 502 2130 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 0.006 0.000, 0.000 : 0.005
.

Fix/Validation Steps

  1. Ensure the app is working and the protected URL specified in the Access Gateway is reachable.
  2. Ensure the DNS record is resolvable.

  3. Ensure the backend application is reachable from the server that hosts the Access Gateway appliance using the troubleshooting tools in the Appendix.

  4. If using a load balancing solution, individually verify if all or one of the Access Gateway appliances are causing the issue.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 503

Application Not Activated

Application <Requested Application> has been disabled and is not available for usage.

Note

Any of these 503 status codes might display if an administrator has chosen to temporarily remove access to an application. Likewise, the application will also be disabled in IDP. Before editing any settings in the Access Gateway Admin UI, confirm the application status with the application owner or appropriate manager.

Possible Cause

The Access Gateway will show this warning page when an application has been marked as inactive.

Log Statement


Mar 7 16:56:39 localhost ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="INACTIVE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource.

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.

  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Inactive.

  4. Edit the Application.

  5. Change the application status to Application is Active.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application is in Maintenance

The application <Requested Application> is temporarily not available for usage.

Possible Cause

The Access Gateway will show this warning page when an application status has been changed to maintenance mode for any maintenance activity.

Log Statement


Mar 7 16:58:23 localhost ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/" METHOD="GET" POLICY="ACTIVE_MAINT" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"] allow access to resource

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.
  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Maintenance.

  4. Ensure that maintenance on the application is complete and the backend application is available.

  5. Edit the application.

  6. Change the application status to Application is Active when the application maintenance is complete.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application is Offline

The application <Requested Application> is not functioning correctly and has been taken offline. This outage has been logged.

Possible Cause

The Access Gateway shows this warning when it detects potential errors with an application configuration and marks it offline.

Log Statement


Apr 2 15:02:33 ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="N/A" SUBJECT="" RESOURCE="/favicon.ico" METHOD="GET" POLICY="ACTIVE_OFFLINE" POLICY_TYPE="NO_AUTH" DURATION="0" APP="IDP Sample Header App 1" APP_TYPE="SAMPLEIDPHEADER2015_APP" APP_DOMAIN="<App domain URL>" RESULT="ALLOW" REASON=" - N/A" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0"] allow access to resource Apr 2 15:02:33 IDPsampleheaderapp1 <App domain URL> <IP address> - - [02/Apr/2018:15:02:33 -0500] "GET /favicon.ico HTTP/1.1" 503 2063 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "-" 0.011 0.011

Fix/Validation Steps

  1. Open the Access Gateway Admin UI.
  2. Go to the Applications tab.

  3. Verify that the status of your application is set to Offline.

  4. Edit the application.

  5. Change the application status to Application is Active after fixing the application configuration error.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Status Code 504

Access Gateway Timeout

The 504 Gateway Timeout is an Oracle EBS Integration timeout error.

Possible Cause

The EBS registration is not working or has been erased from the instance. The application will not provide the GUID and the USER_ORCLGUID header will not appear in the Access Gateway Logs when debug is enabled.

Log Statement


Apr 2 15:49:53 oracleaccessgatetest1 <App domain URL> <App IP address> - - [02/Apr/2018:15:49:53 -0500] "GET /accessgate/ssologin HTTP/1.1" 504 2050 "<IDP federation response>" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "-" 1.017 1.002 : 0.008
>

Fix/Validation Steps

  1. 1. If EBS is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.
  2. Troubleshoot and fix the EBS application instance.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Timeout - Backend App

The backend web application <Requested Application> is not responding in a timely manner to user requests from the Access Gateway and/or not available for usage.

Possible Cause

The Access Gateway returns this error when it times out when trying to connect to an internal application it is protecting.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Render Failure

The application does not render if the backend application takes longer than 60 seconds to respond.

Possible Cause

The Access Gateway is set to time out after 60 seconds when waiting for a response from the backend application.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Host domain URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Application Timeout - Internal App

The backend web application <Requested Application> is not receiving user requests from the Access Gateway and not available for usage.

Possible Cause

The Access Gateway returns this error when it times out while trying to connect to an internal application it is protecting.

Log Statement


Mar 7 17:47:32 localhost.localdomain headerssoapp11 2018/03/07 17:47:32 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "http://1.1.1.1:80/", host: "<Server domain URL>", referrer: "<Access Gateway Admin UI URL>"

Fix/Validation Steps

  1. Ensure the application is responding.
  2. Ensure that the application URL is reachable from the Access Gateway.

  3. Ensure that the connection is not being blocked at any stage.

  4. Test the connectivity to the backend application from the Access Gateway.

  5. If the application is expected to take longer than 60 seconds, increase the Backend Timeout duration in the Advanced dropdown menu in Application Settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Error using SSH to connect to Access Gateway Command Line Console

When using SSH to connect to the command line console an error is generated similar to:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

For example:

usernamessh 100.25.225.222
username@100.25.225.222:Permission denied (publickey, gssapi-keyex,gssapi-with-mic).
username $

Problem:
Did not specify required oag-mgmt username when attempting to connect to the Access Gateway command line.
Solution:
Specify the oag-mgmt user when connecting to an Access Gateway instance. For example

usernamessh oag-mgmt@100.25.225.222

Access Gateway Administration . . .

  1 - Network
  2 - Services 
. . . 

 

What Problem Are You Experiencing?

Login Error

Error being generated while logging in to an application.

Note

For login errors, a TRACKER_ID will be assigned to each issue. Evidence of this can be seen in the log statements below.

What Problem Are You Experiencing?

Time is not in sync.

Log Statement 1


Apr 3 14:20:18 accessgw01 ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="882d8b2faf" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Requester/RequestDenied: Could not validate the following SAML AuthnRequest from partner <Access Gateway Application Name>:

Fix/Validation Steps 1

  1. Log in to the Access Gateway Admin UI.
  2. Select the Settings tab.

  3. Select Advanced.

  4. Verify that the time is correct.

  5. If the time is not correct, click Resync.

  6. Click the refresh button to refresh system time and verify that it is current.

  7. Test the application to determine if time is synchronized correctly.

Log Statement 2


Apr 3 14:20:09 oag01 ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="882d8b2faf" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.

Fix/Validation Steps 2

  1. Log in to the Access Gateway Management Console.
  2. Select the Service option, and then select the NTP option.

  3. Choose the option to restart the NTP service.

  4. Check the time in Access Gateway web console.

  5. Test the application.

Log Statement 3


Apr 4 16:20:11 oag01 ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="d7703c136c" SOURCE="<IDP SSO URL>" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="<Remote IP address>" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"] Received an assertion that has expired. Check clock

Fix/Validation Steps 3

  1. Log in to the Access Gateway Management Console.
  2. Select the Service option, and then select the NTP option.

  3. Select the Set System Time option.

  4. Enter the time in MON DD YYYY HH:MI:SS AM/PM format.

  5. Check the time in the Access Gateway Admin UI and ensure it matches.

  6. Test the application.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Browser does not trust the domain and does not posts SAML request

Note

This error can occur if a user keeps re-posting SAML assertions or if an error occurs in the process of accepting a self-signed SSL certificate.

Log Statement


Apr 04 14:19:44 ACCESS ERROR [3137b1cb3f] Caused by: Exception: Unable to find the current binding.

Fix/Validation Steps 1

  1. Open the returned certificate.
  2. Check the validity of the certificate.

  3. If the certificate is not valid, request a new certificate and update it in Access Gateway using the Management Console.

  4. Test the application.

Fix/Validation Steps 2

  1. Check if the URL of the application is trusted by the browser.
  2. Add the URL of the application and all other Access Gateway endpoints under the trusted zone settings in the browser.

  3. Restart the browser.

  4. Test the application.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Unexpected Appliance Behavior

Possible Cause

The browser cache can cause unexpected behaviors to occur in applications or the Access Gateway.

Fix/Validation Steps

  1. Clear the browser cache and retest.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Multiple Application Certificate Errors

  1. When accessing an application, the browser is showing a certificate warning and takes the user to the application once the user clicks the proceed link.

  2. The application fails to open and user receives an Access Gateway error screen.

  3. The application works normally if it is opened in the same browser session as used previously.

    Possible Cause

    • This can happen when a browser does not trust the certificate. When the user clicks the proceed link, the browser does not post data to the SAML endpoint and the SAML assertion ends up failing.

    • Or, when the application is opened again in the same browser session, the browser trusts the URL the next time because it has permission from the user to trust the URL, so it posts the correct data to the SAML endpoint.

Fix/Validation Steps

Temporary Fix - Local System Only

Add the Access Gateway client certificate to the browser’s trust store. Here is an example for Internet Explorer:

  1. From the application page, open the certificate in the browser and export it to the local machine.
  2. Open Internet Options.
  3. Go to the Content tab.
  4. Click Certificates.
  5. In the pop up window, go to Trusted Root Certification Authorities.
  6. Click Import**.
  7. Click Next → Next → Finish*.
  8. Click Yes in the security warning window to proceed with the installation.
  9. Click OK and close all open windows.
  10. Restart the machine if it still does not work.
  11. Retest the login

Permanent Fix - For All Systems

  1. Procure a valid certificate.
  2. Update the certificate on the Access Gateway appliance.

  3. Update the certificate on the load balancer if it is presenting the certificate.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Redirect Looping

Internet Explorer can experience opening/closing of tabs or redirecting in a loop.

Possible Cause 1

The browser does not trust the application or the Access Gateway endpoints.

Fix/Validation Steps 1

  1. Add the Access Gateway hostname endpoint and application endpoint URLs to the Trusted Zone settings in IE settings.

Possible Cause 2

If you are using a load-balanced solution, the browser resolves the Access Gateway hostname to one node and the application public domain to another node.

Fix/Validation Steps 2

  1. Verify that the load balancer enforces sticky sessions.
  2. Ping the Access Gateway Hostname and the Application Public Domain to verify that they are resolving to different IP Addresses.

  3. Update the local hosts file or DNS entry to match the correct IP Addresses.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Invalid IDP API Key

Possible Cause

The IDP API token has been deleted from IDP.

Fix/Validation Steps

  1. Create a new IDP API token in IDP under Security → API Menu.
  2. Update the API Key in the Access Gateway under Setting → Identity Providers.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

App Name is Out of Sync

<App Name> is out of sync with IDP. Would you like to recreate this application is <IDP Org name>?

Possible Cause
The application has been deleted from IDP.

Fix/Validation Steps

  1. Ensure that the API key used to configure the Access Gateway is still active. If not, continue with the following steps.
  2. Delete the existing application from Access Gateway.

  3. Confirm that the application is deleted from IDP before re-creating the app.

  4. Add the application again in the Access Gateway.

  5. Ensure that the application has been created in IDP.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Site Can Not Be Reached/Displayed

Possible Cause

The browser is unable to reach the site. The root cause can be: The Application/Access Gateway service(s) is not running or DNS entry is missing.

Fix/Validation Steps

  1. Restart the Access Gateway service(s)/backend app if it is not responding.
  2. Add required DNS entry in DNS or local hosts file.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

Setup/App Creation Freezes

The progress indicator keeps spinning during initial setup or while creating an application in the Access Gateway.

Possible Cause

his happens when the Access Gateway fails to reach the designated IDP.

Log Statement

Mar 7 17:19:43 localhost.localdomain WEB_CONSOLE IOException occured validating IDP host :IDP login URL

Fix/Validation Steps

  1. Verify that the Access Gateway appliance is able to connect to IDP.
  2. Look for the component that is blocking the connection and allow the connection to IDP.

  3. Check the connectivity to the IDP from the Access Gateway.

  4. Ensure that the Client ID and Client Secret values are correct.

  5. Validate the IDP configuration in Access Gateway and save the settings.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?

TLS Page Not Displaying

Possible Cause

This happens when a browser’s TLS security settings do not properly authenticate a secure connection with the Access Gateway.

Log Statement

Apr 16 10:55:41 test-oag icsDefault443Error 2018/04/16 10:55:41 [crit] 18480#0: *3047 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: Client IP address, server:0.0.0.0:443

Fix/Validation Steps

  1. In Internet Explorer, click the Settings menu.
  2. Select Internet Options.

  3. Click the Advanced tab.

  4. Scroll until you see the SSL/TLS settings under the Security section.

  5. Ensure that IE uses: TLS 1.1, 1.2, and 1.3.

  6. Click Apply.

  7. Click OK.

Did the fix/validation steps solve your problem? If not, please file a support ticket for additional assistance.

What Problem Are You Experiencing?