OAG: Error Upstream Timed Out when Connecting to Backend Application
Last Updated:
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview
The application cannot be accessed through OAG and shows an Application Timeout error in the browser. OAG logs will have the following error message:
2023-08-17T11:19:38.000+09:00 localhost.localdomain headerssoapp11 2023/08/17 11:19:38 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/"", host: "<Host URL>", referrer: "<Referrer URL>
Applies To
- Okta Access Gateway
- Okta Identity Engine (OIE)
- Okta Classic Engine
Cause
The issue can occur when the backend application server's IP address is changed. OAG will not query DNS until TTL expires, so users will see this error for the duration of TTL.
Also, if the backend application has been configured as a portal app, the IP might not get updated for the 2nd/3rd backend unless NGINX gets reloaded. An Nginx reload can be triggered by editing & saving an application from Admin UI.
NOTE: Do not restart NGINX or reboot the appliance, as this may cause an outage if there are issues with the NGINX config.
Solution
- Validate the connectivity as described in the troubleshooting documentation.
- If the backend application is expecting frequent IP changes, then lower the TTL in DNS so OAG can query frequently to get the current IP.
- In case of a portal app, update the specific policy for the resolver & proxy_pass directive as mentioned below. A complete policy example can be found here:
resolver 127.0.0.1 valid=30s ;
set $<variable_name> https://proxy_pass_domain/ ;
proxy_pass $<variable_name> ;
Related References
