Google OAuth timeout + Invalid principal

1.3.8-0 Chronograf with Google Oauth + domain limitation. Configuration according manual.

Failure log:

Sep 13 13:24:53 x.x.eu chronograf[4289]: time="2017-09-13T13:24:53+03:00" level=info msg=Request component=server method=GET remote_addr="x.x.x.x:37580" url=/oauth/google/callback?state=x.x.x&code=4/x
Sep 13 13:24:57 x.x.eu chronograf[4289]: time="2017-09-13T13:24:57+03:00" level=error msg="Unable to exchange code for token Post https://accounts.google.com/o/oauth2/token: dial tcp: lookup accounts.google.com on x.x.x.x:53: read udp x.x.x.x:36611->x.x.x.x:53: i/o timeout" component=auth method=GET remote_addr="x.x.x.x:37580" url=/oauth/google/callback?state=x.x&code=4/x
Sep 13 13:24:57 x.x.eu chronograf[4289]: time="2017-09-13T13:24:57+03:00" level=info msg="Response: Temporary Redirect" code=307 component=server remote_addr="x.x.x.x:37580" response_time=4.001500378s
Sep 13 13:24:58 x.x.eu chronograf[4289]: time="2017-09-13T13:24:58+03:00" level=info msg=Request component=server method=GET remote_addr="x.x.x.x:37580" url=/chronograf/v1/
Sep 13 13:24:58 x.x.eu chronograf[4289]: time="2017-09-13T13:24:58+03:00" level=info msg="Response: OK" code=200 component=server remote_addr="x.x.x.x:37580" response_time="95.074µs"
Sep 13 13:24:58 x.x.eu chronograf[4289]: time="2017-09-13T13:24:58+03:00" level=info msg=Request component=server method=GET remote_addr="x.x.x.x:37580" url=/chronograf/v1/me
Sep 13 13:24:58 x.x.eu chronograf[4289]: time="2017-09-13T13:24:58+03:00" level=error msg="Invalid principal" component=auth method=GET remote_addr="x.x.x.x:37580" url=/chronograf/v1/me

As server is strict with opened ports, i’ve experimented on opening the ones in logs. Did not helped.

Any idea what’s wrong and how to fix it?

Apparently, it is related with ports and firewall. When i’ve disabled ufw on server, everything works like a charm. I thought that oauth is just plain info exchange through POST and GET.

Can any one enlighten me what is happening behind scenes?