<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta ASA ssh Connection Fails with a Timeout on Port 4421
Sep 17, 2025
Advanced Server Access
Okta Classic Engine
Overview

The user is unable to ssh through Advanced Server Access (ASA) and receives a timeout on port 4421, as shown below: 

 

rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp 10.x.x.x:4421: i/o timeout"

Applies To
  • Okta Advanced Server Access (ASA)
  • On Demand User
  • Okta Classic Engine
Cause
When on-demand users are enabled in a project, the ASA authentication flow uses port 4421. If, for any reason, the connectivity is blocked on port 4421, then the user will not be able to connect to the target server. 

The target server logs will also show user_on_demand_period, meaning that the On Demand User TTL has been set to a period of time. For example, the following log shows the TTL value is 3600 seconds:


<User Name> user_on_demand_period:3600
Solution
Make sure connectivity is allowed on port 4421. Refer ASA Port requirements for more info.


In case on-demand users need to be disabled: 


  1. Log in to the ASA admin dashboard.
  2. Go to Projects > edit the project target server that is enrolled into > set On Demand User TTL to Disabled.


On demand user TTL set to Disabled
Recommended content
Still looking for help?
Loading
Okta ASA ssh Connection Fails with a Timeout on Port 4421