Application troubleshooting process

Troubleshooting applications requires a general methodology or process. This guide describes a general troubleshooting process, involving applications, logs, DNS and related areas.

In general application troubleshooting involves these areas:

  • Application resources - Can the applications URL be reached externally, by customers and internally by Access Gateway?
  • Application configuration - Does the application have the correct resources and attributes?
  • Policy - Does the application have required policy to protect specific URI/URLs, does the policy behave as expected?

 

Tip

Tip

When working with Okta support, an exact log of the problem or issue can be extremely helpful. To generate a HAR archive of a set of operations see Generating HAR files.

The following tasks describe examining and validating each of these areas.

Task

Description

Core application requirements

Verify application requirements, specifically:

  • External and internal application resources - Are the Public Domain and Protected Web Resource fields correct? 
  • Groups - Is the application assigned the correct groups.
  • Post login URL - Enabled? - Hostname in post login URL matches host name in public domain. Redirects to internal only addresses will fail.

Relative references:

Manage groups - verify application is assigned appropriate groups

Manage application essentials - verify public domain and protected web resource.

Application headers

Examine application header fields. Verify:

  • Application headers - what header fields are required by application.
  • Header fields - Are all expected header fields present?  Do all header fields contain expected properties?

Relative references:

Manage application attributes - verify header attributes.

Troubleshoot applications-test header applications to verify header content.

Verify DNS mappings

Verify that the Public Domain and Protected Web Resource fields resolve to expected DNS entries.

Relative references:

Manage DNS settings - validate primary, secondary and tertiary DNS servers.

Ping - validate a specific DNS address is reachable.

Proxy - validate proxy settings are correct, where required.

Intermediates

Verify that any intermediate servers (between Access Gateway and protected web resource) are property configured. Common interemediates are load balanacers, Oracle HTTP server and similar servers.
Relative references:

See documentation for intermediate server.  

Application debug mode

Enable application debug mode and verify logs

Relative references:

Managing applications - enable debug mode.

HTTP return values

Troubleshoot HTTP return codes.

Relative references:

HTTP return codes - Examine and verify expected HTTP return code.

Access Gateway and application logs

Know location of and verify Access Gateway and application logs.

Relative references:

Monitor Access Gateway logs - Monitor logs as applications are being executed using the command line console.

Download Access Gateway logs - After a test run download all Access Gateway log files for offline review.

Configure and monitor log forwarders - Configure a log forwarded to forward log events to systems such as Splunk or Graylog.

Monitor protected application logs - Review protected application logs as appropriate. See protected application documentation to determine where application logs are stored.

URI policy

Examine and verify application policy - Do specific URIs have policies?

Relative references:

Managing Application Policy - examine defined application policy.

Troubleshoot application policy - enable and troubleshoot application policy.

Related topics

Application process flow

Troubleshooting tips and techniques

Generating HAR files