OAG: Error Upstream Timed Out when Connecting to Backend Application
Jul 5, 2024
Okta Classic Engine
Access Gateway
Okta Identity Engine
Overview
The application suddenly cannot be accessed through OAG and shows an Application Timeout error in the browser. OAG logs will have the following error message:
2023-08-17T11:19:38.000+09:00 localhost.localdomain headerssoapp11 2023/08/17 11:19:38 [error] 6703#0: *4793 upstream timed out (110: Connection timed out) while connecting to upstream, client: <Client IP address>, server: <Server domain URL>, request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/"", host: "<Host URL>", referrer: "<Referrer URL>
Applies To
- Okta Access Gateway
Cause
The issue can happen when the backend application server IP has been changed. OAG will not query DNS until TTL expires, so users will see this error for the duration of TTL.
Also, if the backend application has been configured as a portal app, the IP might not get updated for the 2nd/3rd backend unless NGINX gets reloaded. An Nginx reload can be triggered by editing & saving an application from Admin UI.
NOTE: Do not restart NGINX or reboot the appliance, as that may create an outage in case of any issues with the NGINX config.
Solution
- Validate the connectivity as described in the troubleshooting documentation.
- If the backend application is expecting frequent IP changes, then lower the TTL in DNS so OAG can query frequently to get the current IP.
- In case of a portal app, update the specific policy for the resolver & proxy_pass directive as mentioned below. A complete policy example can be found here:
resolver 127.0.0.1 valid=30s ;
set $<variable_name> https://proxy_pass_domain/ ;
proxy_pass $<variable_name> ;
Related References
