You may have to contact our support to get this properly troubleshoot.
Application Gateway Probe gives false negative
After defined the probes at App Gateway with SKU Standard V2 I've got:
The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate
But If I have looked at IIS log at backend servers I could see
Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.5 - - - agw.mydomain.cz 200 0 0 423
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.7 - - - agw.mydomain.cz 200 0 0 409
At the frontend user side everything works and in the iis log I can see a row with filled in user agent (Edge)
2022-06-20 13:52:09 10.0.0.4 GET /whoami.php - 443 - 10.0.1.5 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/102.0.5005.124+Safari/537.36+Edg/102.0.1245.44 ApplicationGatewayAffinityCORS=1f2ecc2258faf740ac14c6b38debac38;+ApplicationGatewayAffinity=1f2ecc2258faf740ac14c6b38debac38 https://agw.mydomain.cz/whoami.php agw.mydomain.cz 200 0 0 399
I've also tried from backend servers with IPs 10.0.0.4, 10.0.0.5 do an openssl check:
openssl s_client -connect 10.0.0.5:443 -tls1_2 -servername agw.mydomain.cz -showcerts
and from 2 to 1
openssl s_client -connect 10.0.0.4:443 -tls1_2 -servername agw.mydomain.cz -showcerts
And got the proper certificate.
I think this is a bug.
6 answers
Sort by: Most helpful
-
Tchimwa Sougang 931 Reputation points Microsoft Employee
2022-06-27T14:01:12.163+00:00