<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OAG Application Resource Fails to Load with 499 Error "Client Prematurely Closed Connection"
Aug 21, 2024
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview
Attempting to load a resource in OAG application fails, with this failure typically occurring consistently after a set duration of waiting.

In this example, the particular resource was expected to take a few minutes to load, but it consistently failed at the one minute mark with the following signature in OAG logs:

2023-04-21T10:19:42.828-07:00 oag.okta.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_dd1d59592a8f3253ff8eed599ab8449510c9cdc934" SUBJECT="user@nbcorp.us" RESOURCE="/testresource" METHOD="POST" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Test" APP_TYPE="IISIWA2015_APP" APP_DOMAIN="test.nbcorp.us" RESULT="ALLOW" REASON="N/A - SESSIONID=_dd1d59592a8f3253ff8eed599ab8449510c9cdc934 iwa_username=t00004123.supp1 RelayDomain=test.nbcorp.us oag_username=user@nbcorp.us UserName=user@nbcorp.us SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=10.43.83.143 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 creationTime=1682097559274 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1682097582813 " REMOTE_IP="10.43.83.143" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"] allow access to resource

2023-04-21T10:20:42.000-07:00 oag.okta.com oag.okta.com KowLZ4pe4: 2023/04/21 10:20:42 [info] 299005#0: *1829823 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while reading response header from upstream, client: 10.43.83.143, server: test.nbcorp.us, request: "POST /testresource HTTP/1.1", upstream: "https://10.43.84.172:443/testresource"

2023-04-21T10:20:42.000-07:00 oag.okta.com KowLZ4pe4 test.nbcorp.us 10.43.83.143 - - "POST /testresource HTTP/1.1" 499 0 "https://test.nbcorp.us/testresource" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" "10.43.83.143" 60.001 59.999 .

Observations:
  • OAG grants access to the resource, but one minute later, the call failed with the error "epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while reading response header from upstream".
  • OAG logs the failed call with a 499 response, with the client browser reporting it as a 504 failure.
Applies To
  • Okta Access Gateway (OAG)
Cause

In this example, the issue was caused by a 60-second idle session timeout on AWS ELB (Elastic Load Balancer) between the client and OAG.

Solution
  1. Investigate environment issues (i.e., front-end load balancer or other network policies with an idle session timeout) that may be closing the connection between the client and OAG. In this example, increasing the idle session timeout on the AWS ELB side resolved the issue.
  2. While the signature of the failure is different, if the issue is still seen, consider reviewing the following KB article for similar issues:

Recommended content

Still looking for help?
Loading
OAG Application Resource Fails to Load with 499 Error "Client Prematurely Closed Connection"