Okta Access Gateway Errors Do Not Appear in Logs Due to Load Balancer Caching

Admins receive error responses from an Okta Access Gateway (OAG) application, but the errors do not appear in the OAG logs at the time of the request. This occurs because a front-end load balancer caches older error responses and serves them to clients instead of routing fresh requests to OAG. Configure the front-end load balancer to disable caching for OAG responses to resolve this issue. The observable symptom includes a Date response header with a timestamp from the past and a Via response header such as the following (this is just one example):

Via: NS-CACHE-10.0: 246

• Okta Access Gateway (OAG)

The front-end load balancer that OAG traverses uses a caching mechanism. The load balancer serves an older, cached response to the client rather than a fresh error from OAG. Some load balancers cache error responses, causing them to serve intermittent errors persistently.

Verify the load balancer configurations to prevent caching responses from OAG and ensure fresh requests reach the back-end application server.

• Ensure that any front-end load balancers lack configurations that provide cached responses from OAG.
• Verify that client sessions through OAG always include fresh requests to OAG to generate fresh responses from the back-end application server.