Troubleshooting tools

These tools can be used to investigate and resolve issues that occur on Access Gateway, Okta, applications, the network, and browsers.

Ping

Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.

Usage:
ping <destination>

Sample output:

root@Access Gateway ~]# ping example.oag.info
PING localhost (192.168.0.211) 56(84) bytes of data.
64 bytes from example.oag.info (192.168.0.211): icmp_seq=1 ttl=64 time=0.033 ms
. . . 
64 bytes from example.oag.info (192.168.0.211): icmp_seq=5 ttl=64 time=0.048 ms
^C
--- Access Gateway ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4479ms
rtt min/avg/max/mdev = 0.033/0.042/0.048/0.006 ms

Error:
In cases of no response from the target host, most implementations of ping display nothing, or periodically print notifications about timing out. Possible ping outputs indicating a problem include the following:

  • H, !N, or !P — host, network, or protocol unreachable

  • S — source route failed

  • T — return time in milliseconds or 1/4 meters-second (normally in telephone meters per and in traffic control milli per second)

  • F — fragmentation needed

  • U or !W — destination network/host unknown

  • I — source host is isolated

  • A — communication with destination network administratively prohibited

  • Z — communication with destination host administratively prohibited

  • Q — for this ToS, the destination network is unreachable

  • X — communication administratively prohibited

  • V — host precendence violation

  • C — precendence cutoff in effect

In case of error, the target host or an intermediate router sends back an ICMP error message, such as “host unreachable” or “TTL exceeded in transit.” In addition, these messages include the first eight bytes of the original message (in this case, the header of the ICMP echo request, including the quench value), so the ping utility can match responses to originating queries.

NS Lookup

nslookup is a network administration command-line tool available for many computer operating systems for querying the DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Name System (DNS) to obtain domain name, IP address mapping, or any other specific DNS record.

Usage:
nslookup [-option] [name | -] [server]

Please see this page for more details on available options.

Sample output:

[root@localhost ~]# nslookup www.okta.com
Server:		10.0.1.1
Address:	10.0.1.1#53

Non-authoritative answer:
www.okta.com	canonical name = www.okta.com.cdn.cloudflare.net.
Name:	www.okta.com.cdn.cloudflare.net
Address: 104.18.211.105
Name:	www.okta.com.cdn.cloudflare.net
Address: 104.18.212.105

Error:Here is sample output when nslookup fails to find the DNS record:
[root@localhost ~]# nslookup unknown.server.com
Server:	10.0.1.1
Address:	10.0.1.1#53
** server can't find unknown.server.com: NXDOMAIN

Telnet

The telnet command is used for interactive communication with another host using the TELNET protocol. It begins in command mode where it prints a telnet command prompt (telnet>).

Usage:
telnet <host> <port>

Sample output of Successful Connection:

[root@localhost ~]# telnet 192.168.0.211 443
Trying 192.168.0.211...
Connected to gw-adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.-gateway.info.
Escape character is '^]'.
^C
Connection closed by foreign host.`

Sample output of Failed Connection:

[root@localhost ~]# telnet example.oag.info 445
Trying 192.168.0.211...
telnet: connect to address 192.168.0.211: Connection refused

In the example above, host example.oag.info is listening on port 443, but not on port 445.

If telnet is not available on Windows, it can be enabled using these steps:

  1. Click Start → Control Panel.

  2. Click Programs and Features.

  3. Click Turn Windows features on or off.

  4. In the Windows Features dialog box, select the Telnet ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. option.

  5. Click OK. The system installs the appropriate files. This will take a few seconds to a minute to complete.

The nc (or netcat) utility is used for many tasks involving TCP, UDP, or UNIX-domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet, nc scripts nicely and separates error messages into standard errors instead of sending them to standard output like telnet does.

Usage: nc [options] <host> <port>

Example: Similar to telnet, nc can also be used to validate whether a host is listening on a specified port.

 

Below are are example output of both successful and failed connections:

Successful connection:

[root@Access Gateway ~]# nc -v -z -w 1 example.oag.info 443
Connection to example.oag.info 443 port [tcp/https] succeeded!

Failed Connection:

[root@Access Gateway ~]# nc -v -z -w 1 example.oag.infoo 445
nc: connect to example.oag.info port 445 (tcp) failed: Connection refused

nc is only available on Unix, Linux, and Mac operating systems.

Access Gateway Sample Header Application

The sample header application is bundled with Access Gateway and can be used to validate the state of the environment and identify issues. The tests below can be performed using the sample header application to identify the root cause of some issues.

No. Component to Validate Validation Steps

1

Connectivity with Okta

  1. Add/Edit an application in Access Gateway.

  2. Access Gateway will fail to create/save application if it fails to connect to Okta.

2

Okta API token

  1. Add/Edit an application in Access Gateway.

  2. Access Gateway will report an error if Okta API key is not active.

3

Okta attributes

  1. Add/Edit the sample header appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Access Gateway.

  2. Add the required attribute in the Attributes tab, and pass it to the header.

  3. Open the sample header app and validate the value of the attribute.

4

Access Gateway

  1. Open the sample header application.

  2. This should redirect you to Okta for authentication (if Okta session does not exist and policy is set to protect the app).

  3. Any discrepancy in application flow points to an issue in the environment.

5

Application in Okta

This can be tested in 2 different ways.

Application chiclet in Okta:

  1. Log in to Okta.

  2. Click the application chiclet.

  3. This should redirect you to the application. If it does not, there is an issue in the environment.

Application URL in Access Gateway:

  1. Log in to the Access Gateway Admin UI.

  2. Go to the Applications tab.

  3. Right-click the Goto app button.

  4. Click Copy link address if using Chrome or Firefox, Copy Link if using Safari, or Copy shortcut if using Internet Explorer.

  5. Paste the URL in the address bar, and press Enter.

  6. This should take you to Okta for authentication before proceeding to the application. If you are not directed to the application after authentication, there is an issue with the environment.

6

Application in Access Gateway

  1. Open the public URL configured in Access Gateway Admin UI for the application in a browser window.

  2. This should take you to Okta for authentication before proceeding to the application. If you are not directed to the application after authentication, there is an issue with the environment.

Top