Troubleshooting tools
Use these tools to help investigate and resolve issues.
Ping
Ping is a software utility that you can use to test if one machine can reach another. It returns the time that it takes for a message to go from the host machine to the destination machine and back again.
Usage:
ping <destination>
Sample output:
root@Access Gateway ~]# ping example.oag.info PING localhost (192.168.0.211) 56(84) bytes of data. 64 bytes from example.oag.info (192.168.0.211): icmp_seq=1 ttl=64 time=0.033 ms . . . 64 bytes from example.oag.info (192.168.0.211): icmp_seq=5 ttl=64 time=0.048 ms ^C --- Access Gateway ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4479ms rtt min/avg/max/mdev = 0.033/0.042/0.048/0.006 msWhen there's no response from the target host, most implementations of ping display nothing, or periodically print notifications about timing out. The following ping outputs indicate that there may be a problem:
-
H, !N, or !P: host, network, or protocol unreachable
-
S: source route failed
-
T: return time in milliseconds
-
F: fragmentation needed
-
U or !W: destination network or host is unknown
-
I: source host is isolated
-
A: communication with destination network administratively prohibited
-
Z: communication with destination host administratively prohibited
-
Q: for this ToS, the destination network is unreachable
-
X: communication administratively prohibited
-
V: host precedence violation
-
C: precedence cutoff in effect
When an error occurs, the target host or an intermediate router returns an ICMP error message, such as "host unreachable" or "TTL exceeded in transit". These messages include the first eight bytes of the original message (in this case, the header of the ICMP echo request, which includes the quench value). This enables the ping utility to match responses to the originating queries.
NS Lookup
nslookup is a network administration tool used to query the Domain Name System (DNS) to obtain domain name, IP address mapping, or other DNS records.
Usage:
nslookup [-option] [name | -] [server]
See your nslookup documentation for more details on available options.
Sample output:
[root@localhost ~]# nslookup www.okta.com Server: 10.0.1.1 Address: 10.0.1.1#53 Non-authoritative answer: www.okta.com canonical name = www.okta.com.cdn.cloudflare.net. Name: www.okta.com.cdn.cloudflare.net Address: 104.18.211.105 Name: www.okta.com.cdn.cloudflare.net Address: 104.18.212.105The following output provides an example of when nslookup fails to find the DNS record:
[root@localhost ~]# nslookup unknown.server.com Server: 10.0.1.1 Address: 10.0.1.1#53 ** server can't find unknown.server.com: NXDOMAINTelnet
The telnet command is used for interactive communication with another host using the TELNET protocol. It begins in command mode where it prints a telnet command prompt (telnet>).
Usage:telnet <host> <port>
Sample output of a successful connection:
[root@localhost ~]# telnet 192.168.0.211 443 Trying 192.168.0.211... Connected to gw-admin-gateway.info. Escape character is '^]'. ^C Connection closed by foreign host.`Sample output of a failed connection:
[root@localhost ~]# telnet example.oag.info 445 Trying 192.168.0.211... telnet: connect to address 192.168.0.211: Connection refusedIn the example, the host example.oag.info is listening on port 443, but not on port 445.
If telnet is not available on Windows, it can be enabled using these steps:
-
Click Start > Control Panel.
-
Click Programs and Features.
-
Click Turn Windows features on or off.
-
In the Windows Features dialog box, select the Telnet Client option.
-
Click OK. The system installs the appropriate files. This takes a few moments to complete.
The nc (or netcat) utility is used for many tasks involving TCP, UDP, or UNIX-domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, scan ports, and deal with both IPv4 and IPv6. Unlike telnet, nc scripts well and separates error messages into standard errors instead of sending them to standard output like telnet does.
Usage:
nc [options] <host> <port>
Example:
Similar to telnet, nc can also be used to validate whether a host is listening on a specified port.
The following are examples of output of both successful and failed connections:
Successful connection:
[root@Access Gateway ~]# nc -v -z -w 1 example.oag.info 443 Connection to example.oag.info 443 port [tcp/https] succeeded!Failed Connection:
[root@Access Gateway ~]# nc -v -z -w 1 example.oag.info 445 nc: connect to example.oag.info port 445 (tcp) failed: Connection refusednc is only available on Unix, Linux, and Mac operating systems.
Access Gateway sample header application
The sample header application is bundled with Access Gateway and can be used to validate the state of the environment and identify issues. You can perform the following tests using the sample header application to identify the root cause of some issues.
No. | Component to Validate | Validation Steps |
---|---|---|
1 |
Connectivity with Okta |
|
2 |
Okta API token |
|
3 |
Okta attributes |
|
4 |
Access Gateway |
|
5 |
Application in Okta |
This can be tested in two ways. Application in Okta:
Application URL in Access Gateway:
|
6 |
Application in Access Gateway |
|