Azure Application Gateway - 502 Bad Gateway error

Question

Azure Application Gateway - 502 Bad Gateway error

Huy Sy Doi 20

Hi Supports,

Currently we are setting up an Azure Application gateway on our kofaxtst.onmicrosoft.com system. The Backend health is good with with 200 Status for the Https protocol.

However, when we try to access a simple .htm web page hosted on a VM backend from Application Gateway Public IP Address using HTTPs protocol with port 443, the browser shows this error:

 502 Bad Gateway

 Microsoft-Azure-Application-Gateway/v2

We are making sure that we are able to access the simple .htm web page hosted on a VM backend by using the public IP address of the VM.

Could you please advise what we should double-check to address this error?

Thanks very much!

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-02T14:16:20.69+00:00
Hello @Huy Sy Doi ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I would suggest you start troubleshooting with the below document:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

But since you have mentioned that you see the backend health healthy and still receiving 502 error, I am listing a couple of causes that I have seen where this issue could occur:

Improper bundling of Certificates.

The certificate on the listener requires the entire certificate chain to be uploaded (the root certificate from the CA, the intermediates and the leaf certificate) to establish the chain of trust.

Refer the below thread to find the steps on how to check incorrectly bundled certificate & how to fix it:

https://learn.microsoft.com/en-us/answers/questions/51336/appgateway-v2-certificate-issue

Backend Address Pool includes ADFS WAP (Web Application Proxy) Servers

Could you please confirm if your backend is an ADFS Web Application Proxy?

Along with this, I would suggest you to check the Application gateway Access logs (if you have enabled diagnostics on the App gateway) and filter the 502 http status codes to see which host/URL is failing.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

Regards,

Gita
Huy Sy Doi 20 Reputation points

2023-02-03T11:08:50.97+00:00

Hi @GitaraniSharma-MSFT ,

Our backend server is not using a bundled certificate. You can access the public link of our VM here:

https://20.104.132.186/Default.htm

We don't use ADFS WAP on the VM. In our test, we just use IIS to host a very simple Default.htm as I provided the link above.

Here is the public IP of our App gateway to access to our backend:

https://40.86.200.133/Default.htm

But it shows: 502 Bad Gateway error

Here is our backend health:

We enabled diagnostics on the App gateway but cannot find where the log is located to filter the 502 http status codes to see which host/URL is failing. Could you provide a quick guide for this?

Thanks very much!
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-03T11:29:35.5466667+00:00

@Huy Sy Doi , thank you for the update.

On accessing the App gateway IP, I see the certificate is not valid:

So, I would like to understand a bit about your setup.

Could you please let me know what are the listener and backend HTTP settings configured in your App gateway?

Is your App gateway configured for end-to-end SSL or SSL termination?

Since you are accessing the App gateway over 443/HTTPS, what certificate has been uploaded to your listener? Is it a self-signed certificate?

What are you IIS binding settings?
Huy Sy Doi 20 Reputation points

2023-02-06T14:24:19+00:00

Hi @GitaraniSharma-MSFT ,

Here is our backend pool:

Here is our backend settings:

Here is our listener settings:

Here is our routing rule:

Here is our health probe settings:

Here is Bindings settings on our backend server on a VM:

We uploaded CARootPFX.pfx and CARootPFX.cer to our listener and backend settings. You can view the files we copied to the Desktop of our backend server VM.

<<<Removed the Personal Identifiable Information (PII)>>>

Our App gateway is configured for end-to-end SSL.

Please let us know if there is anything we are missing in order to resolve this error that will be great!

Thanks very much!
Huy Sy Doi 20 Reputation points

2023-02-07T04:01:59.8333333+00:00

Hi @GitaraniSharma-MSFT ,

Have you found anything causing the 502 error in our testing environment yet?

Thank you very much for your support!

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-02T14:16:20.69+00:00

Hello @Huy Sy Doi ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I would suggest you start troubleshooting with the below document:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

But since you have mentioned that you see the backend health healthy and still receiving 502 error, I am listing a couple of causes that I have seen where this issue could occur:

Improper bundling of Certificates.

The certificate on the listener requires the entire certificate chain to be uploaded (the root certificate from the CA, the intermediates and the leaf certificate) to establish the chain of trust.

Refer the below thread to find the steps on how to check incorrectly bundled certificate & how to fix it:

https://learn.microsoft.com/en-us/answers/questions/51336/appgateway-v2-certificate-issue

Backend Address Pool includes ADFS WAP (Web Application Proxy) Servers

Could you please confirm if your backend is an ADFS Web Application Proxy?

Along with this, I would suggest you to check the Application gateway Access logs (if you have enabled diagnostics on the App gateway) and filter the 502 http status codes to see which host/URL is failing.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

Regards,

Gita
Huy Sy Doi 20 Reputation points

2023-02-03T11:08:50.97+00:00

Hi @GitaraniSharma-MSFT ,

Our backend server is not using a bundled certificate. You can access the public link of our VM here:

https://20.104.132.186/Default.htm

We don't use ADFS WAP on the VM. In our test, we just use IIS to host a very simple Default.htm as I provided the link above.

Here is the public IP of our App gateway to access to our backend:

https://40.86.200.133/Default.htm

But it shows: 502 Bad Gateway error

Here is our backend health:

We enabled diagnostics on the App gateway but cannot find where the log is located to filter the 502 http status codes to see which host/URL is failing. Could you provide a quick guide for this?

Thanks very much!
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-03T11:29:35.5466667+00:00

@Huy Sy Doi , thank you for the update.

On accessing the App gateway IP, I see the certificate is not valid:

So, I would like to understand a bit about your setup.

Could you please let me know what are the listener and backend HTTP settings configured in your App gateway?

Is your App gateway configured for end-to-end SSL or SSL termination?

Since you are accessing the App gateway over 443/HTTPS, what certificate has been uploaded to your listener? Is it a self-signed certificate?

What are you IIS binding settings?
Huy Sy Doi 20 Reputation points

2023-02-06T14:24:19+00:00

Hi @GitaraniSharma-MSFT ,

Here is our backend pool:

Here is our backend settings:

Here is our listener settings:

Here is our routing rule:

Here is our health probe settings:

Here is Bindings settings on our backend server on a VM:

We uploaded CARootPFX.pfx and CARootPFX.cer to our listener and backend settings. You can view the files we copied to the Desktop of our backend server VM.

<<<Removed the Personal Identifiable Information (PII)>>>

Our App gateway is configured for end-to-end SSL.

Please let us know if there is anything we are missing in order to resolve this error that will be great!

Thanks very much!
Huy Sy Doi 20 Reputation points

2023-02-07T04:01:59.8333333+00:00

Hi @GitaraniSharma-MSFT ,

Have you found anything causing the 502 error in our testing environment yet?

Thank you very much for your support!

Answer 1

Hello @Huy Sy Doi ,

Apologies for the delay in my response as I was checking all the configuration and also trying to reproduce this setup in my lab.

So, below are my findings:

For the TLS connection to work, you need to ensure that the TLS/SSL certificate meets the following conditions:

That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview

When you enable end-to-end SSL on Azure Application gateway v2, below is the live traffic behavior:

If the backend pool address is an IP address or hostname isn't set in HTTP settings, SNI will be set as the hostname from the input FQDN from the client and the backend certificate's CN has to match with this hostname.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#for-live-traffic

Also, if you check the below doc, it says the Common Name (CN) of the backend certificate should match the host header of the custom probe.

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn

Now, in your setup, the certificate used by you has a Common Name (CN): kofax-VN01CSUC17-CA and this is added correctly in your custom health probe (as I can see from the screenshot shared by you before) but you are trying to access the Application gateway with its IP address which doesn't match the CN of the backend certificate.

And hence, you are seeing the backend healthy, but the Application gateway is failing with error 502.

To fix this issue, my recommendations are as below:

Point your Application gateway's IP address to domain "kofax-VN01CSUC17-CA", if possible and use the same to access the App gateway.

OR

If it is not possible to point the Application gateway, then try a hostname override in your backend HTTP settings to "kofax-VN01CSUC17-CA" as below and check if it works.

User's image

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Huy Sy Doi 20 Reputation points

2023-02-08T06:24:52.9+00:00

Thank you @GitaraniSharma-MSFT for helpful information resolved our issue!
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-02-08T06:26:47.62+00:00

@Huy Sy Doi , thank you for the update. Glad to hear that your issue is now resolved.

Share via

Azure Application Gateway - 502 Bad Gateway error

0 additional answers

Your answer