App troubleshooting process

Troubleshooting apps requires a general methodology or process. This guide describes a general troubleshooting process, involving apps, logs, DNS and related areas.

In general, app troubleshooting involves these areas:

  • App resources: Can the app's URL be reached externally, by customers and internally by Access Gateway?
  • App configuration: Does the app have the correct resources and attributes?
  • Policy: Does the app have the required policy configured to protect specific URIs and URLs, and does the policy behave as expected?

When working with Okta Support, an exact log of the problem or issue can be helpful. To generate a HAR archive of a set of operations, see Generate HTTP Archive files.

The following tasks describe examining and validating each of these areas.

Task

Description

Core application requirements

Verify application requirements, specifically:

  • External and internal application resources: Are the Public Domain and Protected Web Resource fields correct?
  • Groups: Is the application assigned the correct groups.
  • Post login URL - Enabled?: Hostname in post login URL matches host name in public domain. Redirects to internal-only addresses will fail.

Related references:

Manage groups: verify that the application is assigned appropriate groups

Manage application essentials: verify public domain and protected web resource.

Application headers

Examine application header fields. Verify:

  • Application headers: what header fields does the application require?
  • Header fields: Are all expected header fields present? Do all header fields contain expected properties?

Related references:

Manage application attributes: verify header attributes.

Troubleshoot apps: test header applications to verify header content.

Verify DNS mappings

Verify that the Public Domain and Protected Web Resource fields resolve to expected DNS entries.

Related references:

Manage DNS settings: validate primary, secondary and tertiary DNS servers.

Ping: validate a specific DNS address is reachable.

Proxy settings: validate proxy settings are correct, where required.

Intermediates

Verify that any intermediate servers (between Access Gateway and protected web resource) are property configured. Common intermediates are load balancers, Oracle HTTP server, and similar servers.

Related references:

See documentation for intermediate server.

Application debug mode

Enable application debug mode and verify logs

Related references:

Managing applications: enable debug mode.

HTTP return values

Troubleshoot HTTP return codes.

Related references:

Troubleshoot miscellaneous issues: Examine and verify expected HTTP return code.

Access Gateway and application logs

Know location of and verify Access Gateway and application logs.

Related references:

Monitor Access Gateway logs: Monitor logs as applications are being executed using the command line console.

Download Access Gateway logs: After a test run download all Access Gateway log files for offline review.

Configure and monitor log forwarders: Configure a log forwarded to forward log events to systems such as Splunk or Graylog.

Monitor protected application logs: Review protected application logs as appropriate. See protected application documentation to determine where application logs are stored.

URI policy

Examine and verify application policy - Do specific URIs have policies?

Related references:

Manage app policies: examine defined application policy.

Troubleshoot application policy: enable and troubleshoot application policy.

Related topics

App process flow

Troubleshooting tips and techniques

Generate HTTP Archive files