Purpose

This article provides guidance for resolving an issue where users are unable to sign in to the Seclore Policy Server (PS) using SSO due to connectivity issues with the SSO endpoint.


Symptoms

The following error is observed in the Policy Server logs:


Dec 31, 2025 14:15:16.909 https-jsse-nio2-8443-exec-1 : ERROR : Error while getting response :: org.apache.http.conn.ConnectTimeoutException: Connect to <SSO_URL>:443 [<SSO_URL>/172.16.250.6] failed: Connection timed out | Correlation ID : 427ef09e-0c25-4d01-8cbb-6214f915960_PS_8804



Root Cause

The issue occurs when the Policy Server is unable to establish connectivity with the SSO server.

This can be due to:

  • Network connectivity issues between the Policy Server and SSO server
  • Incorrect DNS resolution of the SSO URL
  • The resolved IP address pointing to an incorrect or pre-NAT (internal) IP instead of the reachable address
  • The policy server is resolving a wrong IP from the hosts file that is no longer in use.

As a result, the connection attempt to the SSO endpoint times out.




Resolution

To resolve the issue, validate connectivity and DNS resolution between the Policy Server and the SSO server.

Steps:

  1. Verify SSO URL Configuration
    • Identify the SSO URL from the error log.
    • Confirm that this URL is correctly configured in Seclore configurations
  2. Test Connectivity from Policy Server
    • From the Policy Server instances, test connectivity to the SSO server using:
      • ping
      • telnet <SSO_URL> 443
      • openssl s_client -connect <SSO_URL>:443
      • curl <SSO_URL>
    • Ensure the connection is successful and not timing out
  3. Validate DNS Resolution

    • Resolve the SSO URL from the Policy Server:

      nslookup <SSO_URL>
    • ping <SSO_URL>
    • Verify that the returned IP address is:
      • Correct
      • Reachable from the Policy Server
      • Compare both IPs returned from ping and curl.
  4. Check for NAT Issues
    • Ensure that the resolved IP is not a pre-NAT/internal IP
    • If NAT is involved, confirm that:
      • The Policy Server is using the correct post-NAT/public IP
      • Proper routing exists between the Policy Server and SSO server
  5. Check Network and Firewall Rules
    • Ensure that outbound access from Policy Server to SSO server on port 443 is allowed
    • Confirm there are no firewall rules blocking the connection