Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
576 questions
Intermittent SSL failures in Azure Front Door
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 64%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Joe
0
Reputation points
Hello,
We are seeing intermittent connection problems from requests coming from East Asia, East US & West US regions.
Error: read ECONNRESET Stack: Error: read ECONNRESET at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) at TLSWrap.callbackTrampoline (node:internal/async_hooks:128:17)
It seems to be caused by sporadic SSL cert unavailability. SSL certs are managed by Azure Frontdoor, and made available at the edge nodes of the FD network.
Failures can be seen on other common/popular domains so it is localised to ours
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—
If you retry a couple of times you will get a response which sounds similar to an issue on this thread. We see no evidence of the request reaching Azure FrontDoor when looking at standard FrontDoor metrics. We typically see these errors from 3rd party requests outside of Azure but we can replicate the failure from Azure nodes in the affected regions.
We typically see 2 types of responses:
- Command runs, the certificates are displayed but then it is stuck for 30-60s and we get
read:errno=104. If we rerun the same command again multiple times it may complete successfully. This is the most common error. - Command runs but no certificates are found we get error
write:errno=104.
When this happens, we see traffic dropping to almost 0 on Application Gateway in the affected region for 10-15 minutes.
Testing
When the error occurs, we cannot collect HAR traces because the connection is not established. To get HAR we need to reach the application layer and that does not happen.
We do use curl, wget & openssl to test. We run these on Azure AKS nodes in the region so there should be very little or no external traffic involved.
Curl response
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection
We have some theories as to the cause but no definite idea or possible solutions.
Any assistance of feedback would be greatly appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 22,856 Reputation points Microsoft Employee2024-03-11T19:11:48.8566667+00:00 Thank you for reaching out and posting a detailed question here. Based on the issue described above, I think a support request will be required here as a support engineer can access backend logs which can help determine the cause of the issue. If you have already filled the support ticket it will help if you share the number with us via private message here. Please let me know if need any help in filling the support ticket. Thank you!
-
ChaitanyaNaykodi-MSFT 22,856 Reputation points Microsoft Employee
2024-03-25T20:11:07.63+00:00 Thank you for getting back in the private message.
Sign in to comment