How to troubleshoot 502 issue on Application gateway

Question

How to troubleshoot 502 issue on Application gateway

Rukhsar Afroz 20

I am getting 502 error for Application gateway and in logs its showing ERRORINFO_NO_ERROR and ERRORINFO_UPSTREAM_CLOSED_CONNECTION

Abiola Akinbade 26,895 Reputation points

2025-04-08T13:32:56.9866667+00:00

To troubleshoot 502 errors, see the link here:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-08T14:45:59.98+00:00
Hello Rukhsar Afroz

In addition to the Abiola Akinbade response, please refer to the details below.

I understand that you were encountering 502 errors on the application gateway, with ERRORINFO_NO_ERROR and ERRORINFO_UPSTREAM_CLOSED_CONNECTION appearing in the app gateway access logs. This issue could happen if backend might be closing connections prematurely, causing the gateway to fail requests.

Can you please check the below action plan provided to resolve your issue.

Please check the keep-alive timeout settings on your backend. Ensure its greater than the Application Gateway idle timeout.

If the health probe fails, the gateway may mark the backend as unhealthy, leading to 502 errors. so please verify backend health probe URL is correct and accessible.

To start with, you can check the backend health of the Application gateway and see if you are receiving any unhealthy health status and message specified for same in the details section. Then you can refer the below doc to search for that message and troubleshoot according to the cause and resolution listed. Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting

Please verify if NSGs or UDRs might be blocking access to backend servers.

If you're using the VM's firewall, ensure that there's a rule allowing inbound traffic on the required ports from the application gateway IP address range or disable the VM OS firewall.

On the Application Gateway access log, you have noticed that "ERRRORINFO_NO_ERROR" and "ERRORINFO_UPSTREAM_CLOSED_CONNECTION" and this could happen if any missing SSL certificate chain. so please revoke and replace with a full bundle SSL certificate.

Use Network Watcher's connection troubleshoot feature to diagnose network connectivity issues between your application gateway and VM. For your reference: https://learn.microsoft.com/en-us/azure/network-watcher/connection-troubleshoot-

For 502 errors, you can also refer the below troubleshooting document.

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-09T12:09:45.6533333+00:00

Hello Rukhsar Afroz

I just wanted to follow up to see if you had the opportunity to review my response regarding your question about resolving the issue.

Thanks. I look forward to your response.
Rukhsar Afroz 20 Reputation points

2025-04-09T12:54:14.8166667+00:00

Hello @Shravan Addagatla

I have checked all pointers, did not get anything except this one-Please check the keep-alive timeout settings on your backend. Ensure its greater than the Application Gateway idle timeout.

Did you mean here inginx keepalive timeout should be greater than idle time for application gateway?
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-09T13:52:28.62+00:00

Hi Rukhsar Afroz

Thanks for your response,

As the error message indicates, "ERRORINFO_UPSTREAM_CLOSED_CONNECTION" in Azure Application Gateway access logs usually means that the backend server (upstream service) closed the connection unexpectedly before completing the request.

Could you try increasing the nginx keepalive timeout to be longer than the application gateway idle timeout? Also, is this issue intermittent or is it consistently not working?

Additionally, please share a screenshot of the health probe status on application gateway.

If possible, could you deploy a VM on the same VNET as the application gateway and let me know its behavior?
Rukhsar Afroz 20 Reputation points

2025-04-10T04:58:55.6033333+00:00

Hello @Shravan Addagatla ,

Its intermittent issue, it happens sometimes for different services request.

what will be the idletimeout for application gateway?is it idletimout we set in public ip of application gateway?

Screenshot for healthprobe status on application gateway
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-10T12:35:06.8866667+00:00
Hi Rukhsar Afroz

The idle timeout for Azure Application Gateway varies based on the SKU:

Application Gateway v1: The Keep-Alive timeout is 120 seconds, and the TCP idle timeout is 4 minutes by default.

Application Gateway v2: The Keep-Alive timeout is 75 seconds, and the TCP idle timeout is 4 minutes by default, configurable between 4 minutes and 30 minutes.

For the public IP idle timeout, this setting applies to inbound connections and can be set between 4 to 30 minutes. This is distinct from the Application Gateway's idle timeout settings.

Since the issue is intermittent and occurs on the backend, you can adjust or extend the Keep-alive request timeout settings on the Application Gateway backend in the HTTP settings section to see if you still encounter the 502 errors.

You can review the diagnostic logs on the application gateway to determine the backend response at the time, 502 error occurred.

Refer : -

https://learn.microsoft.com/en-us/answers/questions/193042/what-is-the-idle-timeout-for-application-gateway

https://learn.microsoft.com/en-us/azure/application-gateway/configuration-http-settings#request-timeout
Rukhsar Afroz 20 Reputation points

2025-04-10T14:51:07.9233333+00:00

Hello @Shravan Addagatla ,

I have increased requesttimeout to 300s within backend setting in application gateway and withing azurediagnostic log timetaken_d is 0..004.

max
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-10T15:00:15.2166667+00:00

Hi Rukhsar Afroz

To understand better about your issue lets connect offline, please see private message for more details.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T07:19:25.62+00:00

Hi Rukhsar Afroz

In the meantime, could you please check the backend logs (Nginx web service) when the 502 error occurs on the application gateway?

Additionally, what backend response do we see in the application gateway access log at the time of the 502 error?
Rukhsar Afroz 20 Reputation points

2025-04-11T08:19:11.3133333+00:00

Hello @Shravan Addagatla ,

In applicateway gateway access logs, we are not getting any response from backend, attaching screenshot.And when i am checking ingress nginx controller container logs , i noticed everytime when we get 502 we get like this- one warning i see-a client request body is buffered to a temporary file.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T14:57:28.71+00:00

Hi Rukhsar Afroz

From the logs shared, I noticed 502 errors occur with the POST method. Could you please check if it also happens with the GET method? Additionally, what is the data size that users are pushing to the application via the POST method?

To isolate this issue, could you reproduce the same error by directly accessing the backend (bypassing the Application Gateway) and let us know the behavior? For this, you can deploy a VM on the same VNET as the Application Gateway and try to send POST requests to the backend (AKS Ingress controller).

We believe this is a backend issue where the server is prematurely closing the connection, and it is unlikely to be an Application Gateway fault. Engaging your application team to investigate the application logging might help resolve this issue.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T18:00:29.9666667+00:00
Hi Rukhsar Afroz

From the logs shared, I noticed 502 errors occur with the POST method. Could you please check if it also happens with the GET method? Additionally, what is the data size that users are pushing the data to the application via the POST method?

To isolate this issue, can you able to reproduce the same by directly accessing the backend (bypassing the Application Gateway) and let us know the behavior? For this, you can deploy a VM on the same VNET as the Application Gateway and try to send POST requests to the backend (AKS Ingress controller).

I noticed everytime when we get 502 we get like this- one warning i see-a client request body is buffered to a temporary file.

Since you mentioned that the client request body is buffered to a temporary file, you can try disabling the request/response buffer option on the application gateway as a final attempt.

To know more about configure Request and Response Proxy Buffers.

Warning: - We strongly recommend that you test and evaluate the performance before rolling this out on the production gateways.

How to change the buffer settings? - Use Azure CLI Method

Request Buffer

az network application-gateway update --name <gw-name> --resource-group <rg-name> --set globalConfiguration.enableRequestBuffering=false

Response Buffer

az network application-gateway update --name <gw-name> --resource-group <rg-name> --set globalConfiguration.enableResponseBuffering=false

Limitations: -

Currently, these changes aren't supported through Portal and PowerShell.

Request buffering can't be disabled if you're running the WAF SKU of Application Gateway. The WAF requires the full request to buffer as part of processing, therefore, even if you disable request buffering within Application Gateway the WAF still buffers the request. Response buffering isn't impacted by the WAF.
Rukhsar Afroz 20 Reputation points

2025-04-14T07:34:11.4+00:00

Hello @Shravan Addagatla

We mostly have POST request and we are facing this 502 while POST request and data size for some requesturi is less and for some its big during 502,
Rukhsar Afroz 20 Reputation points

2025-04-14T08:15:41.98+00:00

Hello @Shravan Addagatla

We mostly have POST request and we are facing this 502 while POST request and data size for some requesturi is less and for some its big during 502,
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-14T12:09:35.7933333+00:00

Hi Rukhsar Afroz

If you are using the WAF tier for the application gateway, disabling the request response option on the application gateway will not have any effect. You can try testing it without WAF and also disable response buffer to see if that resolves the issue.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-15T08:31:36.77+00:00

Hi Rukhsar Afroz

I just wanted to follow up to see if you had the opportunity to review my response regarding your issue. Please check and let me know if you have any questions.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-16T14:12:44.0833333+00:00

Hi Rukhsar Afroz

Since you mentioned that you were unable to disable the buffers on the application gateway with WAF attached due to limitations. however, you saw the same message on the AKS ingress controller, so you can try disabling the buffers on the AKS ingress controller and let us know if that resolves your sporadic 502 errors.

Accepted answer

0 additional answers

Your answer

Abiola Akinbade 26,895 Reputation points

2025-04-08T13:32:56.9866667+00:00

To troubleshoot 502 errors, see the link here:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-09T12:09:45.6533333+00:00

Hello Rukhsar Afroz

I just wanted to follow up to see if you had the opportunity to review my response regarding your question about resolving the issue.

Thanks. I look forward to your response.
Rukhsar Afroz 20 Reputation points

2025-04-09T12:54:14.8166667+00:00

Hello @Shravan Addagatla

I have checked all pointers, did not get anything except this one-Please check the keep-alive timeout settings on your backend. Ensure its greater than the Application Gateway idle timeout.

Did you mean here inginx keepalive timeout should be greater than idle time for application gateway?
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-09T13:52:28.62+00:00

Hi Rukhsar Afroz

Thanks for your response,

As the error message indicates, "ERRORINFO_UPSTREAM_CLOSED_CONNECTION" in Azure Application Gateway access logs usually means that the backend server (upstream service) closed the connection unexpectedly before completing the request.

Could you try increasing the nginx keepalive timeout to be longer than the application gateway idle timeout? Also, is this issue intermittent or is it consistently not working?

Additionally, please share a screenshot of the health probe status on application gateway.

If possible, could you deploy a VM on the same VNET as the application gateway and let me know its behavior?
Rukhsar Afroz 20 Reputation points

2025-04-10T04:58:55.6033333+00:00

Hello @Shravan Addagatla ,

Its intermittent issue, it happens sometimes for different services request.

what will be the idletimeout for application gateway?is it idletimout we set in public ip of application gateway?

Screenshot for healthprobe status on application gateway
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-10T12:35:06.8866667+00:00

Hi Rukhsar Afroz

The idle timeout for Azure Application Gateway varies based on the SKU:

Application Gateway v1: The Keep-Alive timeout is 120 seconds, and the TCP idle timeout is 4 minutes by default.

Application Gateway v2: The Keep-Alive timeout is 75 seconds, and the TCP idle timeout is 4 minutes by default, configurable between 4 minutes and 30 minutes.

For the public IP idle timeout, this setting applies to inbound connections and can be set between 4 to 30 minutes. This is distinct from the Application Gateway's idle timeout settings.

Since the issue is intermittent and occurs on the backend, you can adjust or extend the Keep-alive request timeout settings on the Application Gateway backend in the HTTP settings section to see if you still encounter the 502 errors.

You can review the diagnostic logs on the application gateway to determine the backend response at the time, 502 error occurred.

Refer : -

https://learn.microsoft.com/en-us/answers/questions/193042/what-is-the-idle-timeout-for-application-gateway

https://learn.microsoft.com/en-us/azure/application-gateway/configuration-http-settings#request-timeout
Rukhsar Afroz 20 Reputation points

2025-04-10T14:51:07.9233333+00:00

Hello @Shravan Addagatla ,

I have increased requesttimeout to 300s within backend setting in application gateway and withing azurediagnostic log timetaken_d is 0..004.

max
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-10T15:00:15.2166667+00:00

Hi Rukhsar Afroz

To understand better about your issue lets connect offline, please see private message for more details.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T07:19:25.62+00:00

Hi Rukhsar Afroz

In the meantime, could you please check the backend logs (Nginx web service) when the 502 error occurs on the application gateway?

Additionally, what backend response do we see in the application gateway access log at the time of the 502 error?
Rukhsar Afroz 20 Reputation points

2025-04-11T08:19:11.3133333+00:00

Hello @Shravan Addagatla ,

In applicateway gateway access logs, we are not getting any response from backend, attaching screenshot.And when i am checking ingress nginx controller container logs , i noticed everytime when we get 502 we get like this- one warning i see-a client request body is buffered to a temporary file.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T14:57:28.71+00:00

Hi Rukhsar Afroz

From the logs shared, I noticed 502 errors occur with the POST method. Could you please check if it also happens with the GET method? Additionally, what is the data size that users are pushing to the application via the POST method?

To isolate this issue, could you reproduce the same error by directly accessing the backend (bypassing the Application Gateway) and let us know the behavior? For this, you can deploy a VM on the same VNET as the Application Gateway and try to send POST requests to the backend (AKS Ingress controller).

We believe this is a backend issue where the server is prematurely closing the connection, and it is unlikely to be an Application Gateway fault. Engaging your application team to investigate the application logging might help resolve this issue.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-11T18:00:29.9666667+00:00

Hi Rukhsar Afroz

From the logs shared, I noticed 502 errors occur with the POST method. Could you please check if it also happens with the GET method? Additionally, what is the data size that users are pushing the data to the application via the POST method?

To isolate this issue, can you able to reproduce the same by directly accessing the backend (bypassing the Application Gateway) and let us know the behavior? For this, you can deploy a VM on the same VNET as the Application Gateway and try to send POST requests to the backend (AKS Ingress controller).

I noticed everytime when we get 502 we get like this- one warning i see-a client request body is buffered to a temporary file.

Since you mentioned that the client request body is buffered to a temporary file, you can try disabling the request/response buffer option on the application gateway as a final attempt.

To know more about configure Request and Response Proxy Buffers.

Warning: - We strongly recommend that you test and evaluate the performance before rolling this out on the production gateways.

How to change the buffer settings? - Use Azure CLI Method

Request Buffer

az network application-gateway update --name <gw-name> --resource-group <rg-name> --set globalConfiguration.enableRequestBuffering=false

Response Buffer

az network application-gateway update --name <gw-name> --resource-group <rg-name> --set globalConfiguration.enableResponseBuffering=false

Limitations: -

Currently, these changes aren't supported through Portal and PowerShell.

Request buffering can't be disabled if you're running the WAF SKU of Application Gateway. The WAF requires the full request to buffer as part of processing, therefore, even if you disable request buffering within Application Gateway the WAF still buffers the request. Response buffering isn't impacted by the WAF.
Rukhsar Afroz 20 Reputation points

2025-04-14T07:34:11.4+00:00

Hello @Shravan Addagatla

We mostly have POST request and we are facing this 502 while POST request and data size for some requesturi is less and for some its big during 502,
Rukhsar Afroz 20 Reputation points

2025-04-14T08:15:41.98+00:00

Hello @Shravan Addagatla

We mostly have POST request and we are facing this 502 while POST request and data size for some requesturi is less and for some its big during 502,
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-14T12:09:35.7933333+00:00

Hi Rukhsar Afroz

If you are using the WAF tier for the application gateway, disabling the request response option on the application gateway will not have any effect. You can try testing it without WAF and also disable response buffer to see if that resolves the issue.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-15T08:31:36.77+00:00

Hi Rukhsar Afroz

I just wanted to follow up to see if you had the opportunity to review my response regarding your issue. Please check and let me know if you have any questions.
Shravan Addagatla 380 Reputation points Microsoft External Staff

2025-04-16T14:12:44.0833333+00:00

Hi Rukhsar Afroz

Since you mentioned that you were unable to disable the buffers on the application gateway with WAF attached due to limitations. however, you saw the same message on the AKS ingress controller, so you can try disabling the buffers on the AKS ingress controller and let us know if that resolves your sporadic 502 errors.

Answer 1

Hi Rukhsar Afroz

The error you encountered ERRORINFO_UPSTREAM_CLOSED_CONNECTIONis due to the backend server closing the connection unexpectedly or before the request was fully processed. This indicates that the backend server (NGINX, in your case) is terminating the connection before Application Gateway finishes sending the request or receiving a complete response. Refer to the documentation for more details.
User's image

Based on your environment and the logs (ERRORINFO_UPSTREAM_CLOSED_CONNECTION, the root cause of the intermittent 502 errors was that the ingress-nginx controller was prematurely closing the connection, especially during POST requests or large payloads. This made Azure Application Gateway believe the backend had failed, resulting in a 502. The ingress controller had lower timeout values for reading/writing client requests. When Application Gateway sent a request, the ingress controller timed out or closed the connection before a full response was delivered.

You also saw- client request body is buffered to a temporary

file /tmp/nginx/client-body/xxx

This indicates that NGINX was writing request bodies to disk because the request payload exceeded the default buffer size.

To fix this, run the following to patch your nginx-configuration ConfigMap:

kubectl patch configmap nginx-configuration -n ingress-nginx \
  --type merge \
  -p '{"data": {
    "keep-alive-timeout": "300",
    "proxy-read-timeout": "300",
    "proxy-send-timeout": "300",
    "proxy-connect-timeout": "300",
    "client-body-buffer-size": "512k"
  }}'
kubectl rollout restart deployment ingress-nginx-controller -n ingress-nginx

These values ensure that NGINX holds connections open long enough for App Gateway and avoids writing small POST payloads to disk.

Your next question: What does client-body-buffer-size do?

It increases the in-memory buffer for POST data. Without this, NGINX logs give—a client request body is buffered to a temporary file. This is not an error, but increasing the buffer (e.g., 512k or 1m) avoids disk I/O for moderate payloads.

Avoid setting it to 16k that’s often already the default and won’t help with large payloads.

If you previously used this

keep-alive: "on"
keep-alive-requests: "1000"

Remove them, as these are not valid keys for the ingress-nginx ConfigMap and can cause errors like unexpected error merging defaults."cannot parse 'keep-alive'

After applying the above steps. The 502 errors are no longer observed, your application gateway logs show healthy responses and your Ingress-nginx works smoothly with large POSTs

Reference:Troubleshooting bad gateway errors in Application Gateway

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

How to troubleshoot 502 issue on Application gateway

0 additional answers

Your answer