Share via

Error 525: SSL handshake failing sporadically with cloudflare to Azure App

Alex Dnr 1 Reputation point
2021-10-19T11:29:47.84+00:00

My Azure App (.net core) normally runs fine.
It is protected with cloudflare (SSL/TLS "Full"-mode) and the azure app itsself has no certificate (works fine because certificate is delivered by cloudflare to the users browser).
Somehow about every two weeks for a few minutes (sometimes up to 30 minutes) the user is getting a Error 525 (SSL handshake failed) from cloudflare and is not able to get to the web application (even it is online and usable with the direct app-url).
I really don't know what to do about it because there is no log or more information as listed on the cloudflare error page (https://support.cloudflare.com/hc/en-us/articles/115003011431-Error-525-SSL-handshake-failed#525error). Specially because it works fine normally.

Hope somebody can help me. Thanks a lot!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,269 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 24,396 Reputation points Microsoft Employee
    2021-10-21T07:13:16.577+00:00

    @Alex Dnr , Apologies for the delay in responding here.

    I understand this issue occurs sporadically, to dig deep into this, we need your WebApp and subscription details (which is PII), I’ll follow up with you privately. Just to confirm, have you reviewed to see if the thumbprint matches?

    Note: Please do not share any PII data publicly.

    If you haven't done this already, you may leverage App Service diagnostics from Azure Portal> Navigate to your App Service app in the Azure Portal.
    In the left navigation, click on Diagnose and solve problems and go over the highlighted options- to see if it provides any pointers.

    142275-image.png

  2. Luke Murray 10,636 Reputation points MVP
    2023-05-14T19:41:46.31+00:00

    Hi, Alex

    Your best bet is to enable Full (Strict Mode), by adjusting Cloudflare and having a cert on the backend.

    https://luke.geek.nz/azure/full-end-to-end-encryption-on-an-azure-webapp-using-cloudflare/

    Traffic between the browser and Cloudflare is encrypted, but traffic between Cloudflare and the Azure webapp isn't - I have found using an origin cert from Cloudflare - the best way of enabling Full (Strict Mode).

    0 comments
  3. Andrew Beaven 11 Reputation points
    2023-07-31T06:00:41.7733333+00:00

    525 errors can be returned if your Azure "stamp" (the group of resources that host and operate infrastructure for multiple Azure customers) is experiencing a DDOS attack. Azure DDOS mitigation procedures appear to drop packets from any Azure App Service under said stamp, even if that app service is not sending malicious traffic. This can affect production workloads.

    The problem appears to be exacerbated by/exclusive to those behind Cloudflare as the IP address makes it appear to be coming from a single source (perhaps the same IP as the malicious traffic).

    For me, this took weeks of back and forwards with Azure support before they even acknowledged that it was a problem on their side. Cloudflare support were awesome in assisting here, showing clearly that it was due to the host server. In my case, the DDOS attack stopped occurring before support was able to offer any solutions to resolve - but they certainly didn't seem to be forthcoming with anything. It appeared as though the DDOS mitigation procedures were automated or otherwise outside of their control, so there wasn't much the support team (first level anyway) could do to help.

    So I would suggest as a first step if you hit this error to ask support if they're experiencing any DDOS attack on the same stamp you're running.

    0 comments