Okta ASA ssh Connection Fails with a Timeout on Port 4421
Last Updated:
Overview
The user is unable to ssh through Advanced Server Access (ASA) and receives a timeout on port 4421, as shown below:
rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp 10.x.x.x:4421: i/o timeout"
Applies To
- Okta Advanced Server Access (ASA)
- On Demand User
- Okta Classic Engine
Cause
When on-demand users are enabled in a project, the ASA authentication flow uses port 4421. If, for any reason, the connectivity is blocked on port 4421, then the user will not be able to connect to the target server.
The target server logs will also show user_on_demand_period, meaning that the On Demand User TTL has been set to a period of time. For example, the following log shows the TTL value is 3600 seconds:
<User Name> user_on_demand_period:3600Solution
Make sure connectivity is allowed on port 4421. Refer ASA Port requirements for more info.
In case on-demand users need to be disabled:
- Log in to the ASA admin dashboard.
- Go to Projects > edit the project target server that is enrolled into > set On Demand User TTL to Disabled.
