Summary

When attempting to connect an Jira on-prem instance (Server or Data Center) to a Confluence cloud instance via an application tunnel, the link cannot be created and there is an error stating "We can't enable the incoming authentication because <linkName> is not reachable.".  However the application tunnel is showing as connected.  

Diagnosis

The Jira Application Links Health Check will fail with an error stating 'One of your application links is reporting "OAuth problem".'.  Within the support zip generated from Jira in the healthchecks.txt file you will see the following: 

Name: Application links
NodeId: null
Is healthy: false
Failure reason: One of your application links is reporting "OAuth problem".
Severity: WARNINGAdditional links: []

In addition, you can also observe the following within the atlassian-jira.log when the health check runs: 

2022-10-13 17:58:14,412+0200 HealthCheck:thread-1 DEBUG ServiceRunner     [o.apache.http.wire] http-outgoing-809711 << "oauth_problem=consumer_key_unknown"

Observing the above message will require the o.apache.http.wire class to be configured to log at the DEBUG level. Please see Change logging levels in Jira Server for more information on setting up logging for a custom class.  

Cause

This occurs when required connections and upstream ports are not configured within the Jira server.xml file for the on-prem Jira instance.  The application tunnel requires an outgoing HTTP connector to be set in order for the Jira instance to communicate with the application tunnel.  

Solution

Following the guide outlined within Configure required connections and upstream ports by adding the additional connector and JVM argument will allow the application link can be created successfully as a tunneled application link from the cloud.