Application Gateway Probe gives false negative

Question

After defined the probes at App Gateway with SKU Standard V2 I've got:

The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate

But If I have looked at IIS log at backend servers I could see

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken

2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.5 - - - agw.mydomain.cz 200 0 0 423
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.7 - - - agw.mydomain.cz 200 0 0 409

At the frontend user side everything works and in the iis log I can see a row with filled in user agent (Edge)
2022-06-20 13:52:09 10.0.0.4 GET /whoami.php - 443 - 10.0.1.5 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/102.0.5005.124+Safari/537.36+Edg/102.0.1245.44 ApplicationGatewayAffinityCORS=1f2ecc2258faf740ac14c6b38debac38;+ApplicationGatewayAffinity=1f2ecc2258faf740ac14c6b38debac38 https://agw.mydomain.cz/whoami.php agw.mydomain.cz 200 0 0 399

I've also tried from backend servers with IPs 10.0.0.4, 10.0.0.5 do an openssl check:
openssl s_client -connect 10.0.0.5:443 -tls1_2 -servername agw.mydomain.cz -showcerts
and from 2 to 1
openssl s_client -connect 10.0.0.4:443 -tls1_2 -servername agw.mydomain.cz -showcerts

And got the proper certificate.

I think this is a bug.

Answer 1

You may have to contact our support to get this properly troubleshoot.