When trying to sft SSH to Linux servers, the connection times out and shows the connecting port as 4421:
 

error: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp <IP>:4421: i/o timeout"kex_exchange_identification: Connection closed by remote host

• Okta Advanced Server Access (ASA)
• Okta Privileged Access (OPA)

ASA
On-demand User TTL was enabled in the ASA project. When enabled, the server must be accessible on port 4421. Refer the ports requirements from here. 

OPA
The client first connects to server on port 4421, then that connection is closed and a new connection on port 22 is made. Local vaulted accounts only will use port 22. Refer the ports requirements from here.

How to check if port 4421 is accessible?

On the target Linux machine, ensure port 4421 is open and that "sftd" is listening on it.  For example, the "ss -ltpn" command shows whether a specific port is LISTENed by a particular process.

When the target Linux machine is behind a firewall or the client machine is behind a proxy, the connection to port 4421 may be blocked by the proxy or firewall.  Running nmap -p <port> <IP address> on the client machine will show if the port on the target machine is accessible or not from the client machine.

ASA

There are two alternate solutions for this based on the requirements mentioned below: 

• In case On-Demand User TTL is needed - create a firewall rule on the server to accept TCP connections on port 4421.  
• In case On-Demand User TTL is not needed- disable On-Demand User TTL in the ASA project. It can be done by editing the project details section and selecting the value as disabled for On-Demand User TTL. 

OPA

• Port 4421 will need to be opened unless using a local vaulted account