502 Bad Gateway
Microsoft-Azure-Application-Gateway/v2
We are making sure that we are able to access the simple .htm web page hosted on a VM backend by using the public IP address of the VM.
Could you please advise what we should double-check to address this error?
Thanks very much!
Hello @Huy Sy Doi ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I would suggest you start troubleshooting with the below document:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-troubleshooting-502
But since you have mentioned that you see the backend health healthy and still receiving 502 error, I am listing a couple of causes that I have seen where this issue could occur:
Improper bundling of Certificates.
The certificate on the listener requires the entire certificate chain to be uploaded (the root certificate from the CA, the intermediates and the leaf certificate) to establish the chain of trust.
Refer the below thread to find the steps on how to check incorrectly bundled certificate & how to fix it:
https://learn.microsoft.com/en-us/answers/questions/51336/appgateway-v2-certificate-issue
Backend Address Pool includes ADFS WAP (Web Application Proxy) Servers
Could you please confirm if your backend is an ADFS Web Application Proxy?
Along with this, I would suggest you to check the Application gateway Access logs (if you have enabled diagnostics on the App gateway) and filter the 502 http status codes to see which host/URL is failing.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics
Regards,
Hi @GitaraniSharma-MSFT ,
Our backend server is not using a bundled certificate. You can access the public link of our VM here:
https://20.104.132.186/Default.htm
We don't use ADFS WAP on the VM. In our test, we just use IIS to host a very simple Default.htm as I provided the link above.
Here is the public IP of our App gateway to access to our backend:
https://40.86.200.133/Default.htm
But it shows: 502 Bad Gateway error
Here is our backend health:
We enabled diagnostics on the App gateway but cannot find where the log is located to filter the 502 http status codes to see which host/URL is failing. Could you provide a quick guide for this?
Thanks very much!
@Huy Sy Doi , thank you for the update.
On accessing the App gateway IP, I see the certificate is not valid:
So, I would like to understand a bit about your setup.
Could you please let me know what are the listener and backend HTTP settings configured in your App gateway?
Is your App gateway configured for end-to-end SSL or SSL termination?
Since you are accessing the App gateway over 443/HTTPS, what certificate has been uploaded to your listener? Is it a self-signed certificate?
What are you IIS binding settings?
Here is our health probe settings:
Here is Bindings settings on our backend server on a VM:
We uploaded CARootPFX.pfx and CARootPFX.cer to our listener and backend settings. You can view the files we copied to the Desktop of our backend server VM.
<<<Removed the Personal Identifiable Information (PII)>>>
Our App gateway is configured for end-to-end SSL.
Please let us know if there is anything we are missing in order to resolve this error that will be great!
Thanks very much!
Hi @GitaraniSharma-MSFT ,
Have you found anything causing the 502 error in our testing environment yet?
Thank you very much for your support!
Hello @Huy Sy Doi ,
Apologies for the delay in my response as I was checking all the configuration and also trying to reproduce this setup in my lab.
So, below are my findings:
For the TLS connection to work, you need to ensure that the TLS/SSL certificate meets the following conditions:
That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview
When you enable end-to-end SSL on Azure Application gateway v2, below is the live traffic behavior:
If the backend pool address is an IP address or hostname isn't set in HTTP settings, SNI will be set as the hostname from the input FQDN from the client and the backend certificate's CN has to match with this hostname.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#for-live-traffic
Also, if you check the below doc, it says the Common Name (CN) of the backend certificate should match the host header of the custom probe.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn
Now, in your setup, the certificate used by you has a Common Name (CN): kofax-VN01CSUC17-CA and this is added correctly in your custom health probe (as I can see from the screenshot shared by you before) but you are trying to access the Application gateway with its IP address which doesn't match the CN of the backend certificate.
And hence, you are seeing the backend healthy, but the Application gateway is failing with error 502.
To fix this issue, my recommendations are as below:
Point your Application gateway's IP address to domain "kofax-VN01CSUC17-CA", if possible and use the same to access the App gateway.
If it is not possible to point the Application gateway, then try a hostname override in your backend HTTP settings to "kofax-VN01CSUC17-CA" as below and check if it works.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
