Three pain patterns
OpenClaw operators rarely file tickets titled “gateway unhealthy.” They file “the bot stopped answering” or “the console spins forever.” Those subjective reports map cleanly onto three recurring engineering patterns once you separate user-visible symptoms from internal health signals.
1) Channel silence. Telegram or Slack shows no replies while the dashboard still loads static assets from the gateway. That pattern almost always isolates to inbound event delivery, routing rules, or token lifecycle—not to “the server is down.” Teams that only ping the web UI conclude the stack is healthy and waste hours chasing LLM quotas that were never the bottleneck.
2) Intermittent errors. Upstream LLM rate limits, DNS jitter, RAM pressure, and cold-start latency produce timeouts that vanish on the next retry. Without archived health --json snapshots and log lines with timestamps, you cannot prove whether the failure window aligned with a provider incident or with local memory exhaustion. Post-incident reviews without artifacts degrade into opinion.
3) Config drift. Edits to allowedOrigins, API keys in shell profiles, systemd unit files, or Docker Compose environments frequently fail to reach the running process. The operator sees “random” CORS failures or missing credentials because the daemon still reads yesterday’s file path. Explicitly document which user, which working directory, and which restart command apply after each change.
Instrument before you escalate. A lightweight habit of saving health JSON after every deploy gives you a diff-friendly baseline when bridges start flapping overnight or after certificate renewals.
Which layer broke first
Stick to a fixed sequence every time: confirm the gateway process and listening port, run openclaw doctor for static configuration validation, capture openclaw health --json for runtime dependency state, then tail bridge logs while reproducing the user issue. Jumping straight to reinstalling Node modules or rotating API keys skips evidence and often hides the real layer fault.
Process health answers “is anything listening?” Doctor answers “is the configuration internally consistent?” Health answers “can this running instance reach providers and plugins?” Logs answer “what did we actually do when the user sent a message?” Each question targets a different owner: OS init, platform engineer, integration engineer, or channel administrator.
Laptops that sleep or change networks drop long-lived websocket or polling bridges even when the binary is healthy. That class of failure is environmental, not a defect in OpenClaw, yet it dominates small-team incidents. If your automation pipeline also pushes artifacts over SSH from the same machine, sleep-induced disconnects hurt twice.
Multi-tenant or shared gateways need explicit boundaries: separate tokens, separate log streams, and separate health exports per workspace. Otherwise one partner’s misconfigured Slack app looks like “global outage” in your aggregate metrics.
Version upgrades deserve a mini canary: snapshot health JSON, upgrade on a staging host with mirrored config, rerun the five CLI steps, then promote during a low-traffic window. Skipping the staging pass often means debugging compiler-level stack traces under production load instead of calmly diffing health output.
Document which outbound URLs must be reachable from the gateway subnet. Corporate proxies that MITM HTTPS sometimes break provider SDKs in subtle ways doctor cannot detect until health runs. Maintaining an allow list reduces “mystery TLS” tickets that bounce between security and platform teams for days.
Symptom to command matrix
Use the matrix as a triage contract for on-call: the first column names the subsystem, the second names what users or monitors actually observe, and the third names the cheapest command that falsifies a hypothesis. Exact CLI flags evolve between releases; the investigative order should not.
When two layers look suspicious—for example both API timeouts and missing Slack replies—still finish the process and doctor checks first. Parallel outages are rarer than a single root cause that masquerades as two.
| Layer | Signal | First command | Next step |
|---|---|---|---|
| Process | connection refused | openclaw status | free the port or restart the service |
| Gateway config | CORS or origin errors | openclaw doctor | fix config and env injection |
| LLM API | 429/5xx | openclaw health --json | keys, quotas, provider status |
| Messaging | no DM replies | openclaw logs --follow | tokens, webhooks, permissions |
Export the matrix into your internal wiki next to escalation paths: who owns DNS, who owns the Slack app configuration, and who can rotate LLM keys without a full redeploy. During incidents, point people at the matrix first so debates about blame turn into assigned checks with clear owners and exit criteria.
Five-step CLI runbook
Execute the sequence on the same host that serves production traffic. Capture stdout from each step into a dated folder so you can diff before and after a config change or package upgrade.
openclaw status
openclaw doctor
openclaw health --json > /tmp/openclaw-health.json
openclaw logs --follow
curl -sS -m 5 http://127.0.0.1:18789/health || echo "probe failed"
Inside Docker or Kubernetes, exec into the workload namespace before running the commands. Confirm volume mounts so the container reads the same config file you edited on the administrator laptop. Mismatched mount paths are a top reason doctor passes in CI but fails in production.
After doctor reports clean, still run health: doctor validates files and static dependencies, while health exercises live credentials and outbound connectivity. Skipping health leaves blind spots around firewall egress rules that only appear at runtime.
While logs --follow runs, reproduce the smallest user action that fails—one DM, one slash command, one webhook replay. Minimal reproduction shortens log noise and speeds correlation with upstream request IDs when you open a vendor ticket with engineering-grade evidence attached.
Align this runbook with the Docker and resource guidance in production stability and with first-install pitfalls from cloud deploy FAQ so new hires see one consistent story from day zero to day sixty of operations.
Timeouts and thresholds
Adopt internal baselines so alerts mean something concrete. Use a five second timeout for quick local HTTP probes from the gateway host; anything longer blends real hangs with operator patience variance. Store the matching health --json next to the log slice taken during the incident and keep both for at least twenty-four hours minimum, longer if your compliance team requires retention for access reviews.
Maintain roughly 1.5 gibibytes of free RAM headroom on small single-node deployments. LLM toolchains spike memory during concurrent conversations; crossing into swap on macOS or Linux produces latency that looks like “model slowness” even though the API is fine.
When logs show repeated 403 responses or OAuth-style auth failures within a three minute window, rotate credentials only after you verify system clock skew. Drift beyond about sixty seconds breaks signature validation for several messaging providers and produces maddening “it worked yesterday” reports.
Define escalation timers: if doctor fails, stop and fix config before touching providers. If doctor passes but health flags a channel plugin degraded for more than fifteen minutes, page the integration owner, not the LLM on-call.
Reverse proxies and TLS terminators deserve their own checklist item. When health succeeds over localhost but users see intermittent 502 responses, capture both the gateway access log and the proxy error log with matching timestamps. Misconfigured upstream keepalive pools between nginx and Node frequently surface as “OpenClaw random errors” even though doctor never sees the network path the public clients use.
Secrets rotation should be a scripted playbook: update the provider console, update the secret store, restart only the components documented to read that secret, then immediately rerun health and archive the new JSON. Ad-hoc exports in shell history are how tokens leak and how environments diverge between teammates.
For teams that run multiple models behind one gateway, track per-provider error budgets in the same dashboard as channel latency. Otherwise a spike in cheap model traffic can starve premium model quota and look like a gateway bug when it is actually cost governance.
Finally, rehearse failure quarterly. Kill the gateway process on purpose, restore from backup config, and verify systemd, launchd, or container restart policies still match the documented runbook your newest hire can follow without calling you at midnight.
FAQ and why SFTPMAC remote Mac helps
- Web OK but chat dead: Start at messaging bridge logs and health channel fields; the static dashboard proves almost nothing about inbound events.
- Doctor green yet timeouts: Shift attention to upstream rate limits, RAM, and egress path; attach timestamps when contacting the model vendor.
- Config changes ignored: Trace the real working directory, environment file, and restart policy for the running PID before editing again.
Summary: Layered diagnosis with status, doctor, health, and logs turns noisy “bot broken” reports into actionable subsystem ownership.
Limitation: Self-hosted laptops trade uptime for portability. Sleep, VPN changes, and single-user permission drift dominate incident volume for solo operators.
SFTPMAC angle: A hosted remote Mac gives you Apple-native automation colocated with SFTP-isolated directories, stable power, and shared ops patterns—useful when OpenClaw must stay online beside the same SSH-based artifact flows your team already trusts.
We emphasize reachable nodes and baseline file permissions so you can standardize doctor output collection across environments. When agent reliability matters more than saving a retired laptop, move the gateway to infrastructure that is designed to stay awake.
Pair this operational discipline with the artifact delivery patterns you already use: when builds land through SFTP or rsync, the gateway host should not be the same fragile laptop that also runs video calls and sleeps overnight. Colocating automation on stable remote Mac hardware keeps human habits from becoming production incidents.
Telegram silent but console loads?
Inspect the bridge layer, webhook or long-polling mode, and bot token rotation history; cross-check health JSON for channel plugins.
Doctor passes, sporadic 5xx?
Correlate timestamps with provider status pages, watch memory pressure, and confirm you are not retry-storming during an outage.
Move gateway to remote Mac when?
When you need sleep-proof twenty-four-seven service, shared team access, and colocation with existing macOS build or sync workflows.
Should we expose the dashboard publicly?
Prefer VPN or SSO-protected ingress; pair with tight allowedOrigins and rate limits so doctor-clean config still matches your threat model and your auditors’ expectations.
Evaluate SFTPMAC plans if you want a stable Mac host for OpenClaw alongside file sync workflows.