| title | author | description | ms.date | ms.assetid | msc.legacyurl | msc.type |
|---|---|---|---|---|---|---|
|
Troubleshooting 502 Errors in ARR |
rick-anderson |
IIS Failed Request Tracing Network Monitor Winhttp Tracing This material is provided for informational purposes only. Microsoft makes no warranties, express… |
04/09/2012 |
f419b76c-aea0-4b3c-b206-2ae31ee2436c |
/learn/extensions/troubleshooting-application-request-routing/troubleshooting-502-errors-in-arr |
authoredcontent |
by Richard Marr
Tools Used in this Troubleshooter:
- IIS Failed Request Tracing
- Network Monitor
- Winhttp Tracing
This material is provided for informational purposes only. Microsoft makes no warranties, express or implied.
HTTP 502 — Overview
When working with IIS Application Request Routing (ARR) deployments, one of the errors that you may see is «HTTP 502 — Bad Gateway». The 502.3 error means that — while acting as a proxy — ARR was unable to complete the request to the upstream server and send a response back to the client. This can happen for multiple reasons — for example: failure to connect to the server, no response from the server, or the server took too long to respond (time out). If you are able to reproduce the error by browsing the web farm from the controller, and detailed errors are enabled on the server, you may see an error similar to the following:
Figure 1 (Click image to expand)
The root cause of the error will determine the actions you should take to resolve the issue.
502.3 Timeout Errors
The error code in the screenshot above is significant because it contains the return code from WinHTTP, which is what ARR uses to proxy the request and identifies the reason for the failure.
You can decode the error code with a tool like err.exe. In this example, the error code maps to ERROR_WINHTTP_TIMEOUT. You can also find this information in the IIS logs for the associated website on the ARR controller. The following is an excerpt from the IIS log entry for the 502.3 error, with most of the fields trimmed for readability:
sc-status |
sc-substatus |
sc-win32-status |
time-taken |
|---|---|---|---|
502 |
3 |
12002 |
29889 |
The win32 status 12002 maps to the same ERROR_WINHTTP_TIMEOUT error reported in the error page.
What exactly timed-out?
We investigate this a bit further by enabling Failed Request Tracing on the IIS server. The first thing we can see in the failed request trace log is where the request was sent to in the ARR_SERVER_ROUTED event. The second item I have highlighted is what you can use to track the request on the target server, the X-ARR-LOG-ID. This will help if you are tracing the target or destination of the HTTP request:
| 77. | ARR_SERVER_ROUTED | RoutingReason=»LoadBalancing», Server=»192.168.0.216″, State=»Active», TotalRequests=»3″, FailedRequests=»2″, CurrentRequests=»1″, BytesSent=»648″, BytesReceived=»0″, ResponseTime=»15225″ 16:50:21.033 |
|---|---|---|
| 78. | GENERAL_SET_REQUEST_HEADER | HeaderName=»Max-Forwards», HeaderValue=»10″, Replace=»true» 16:50:21.033 |
| 79. | GENERAL_SET_REQUEST_HEADER | HeaderName=»X-Forwarded-For», HeaderValue=»192.168.0.204:49247″, Replace=»true» 16:50:21.033 |
| 80. | GENERAL_SET_REQUEST_HEADER | HeaderName=»X-ARR-SSL», HeaderValue=»», Replace=»true» 16:50:21.033 |
| 81. | GENERAL_SET_REQUEST_HEADER | HeaderName=»X-ARR-ClientCert», HeaderValue=»», Replace=»true» 16:50:21.033 |
| 82. | GENERAL_SET_REQUEST_HEADER | HeaderName=»X-ARR-LOG-ID», HeaderValue=»dbf06c50-adb0-4141-8c04-20bc2f193a61″, Replace=»true» 16:50:21.033 |
| 83. | GENERAL_SET_REQUEST_HEADER | HeaderName=»Connection», HeaderValue=»», Replace=»true» 16:50:21.033 |
The following example shows how this might look on the target server’s Failed Request Tracing logs; you can validate that you have found the correct request by matching up the «X-ARR-LOG_ID» values in both traces.
| 185. | GENERAL_REQUEST_HEADERS Headers=»Connection: Keep-Alive Content-Length: 0 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Host: test Max-Forwards: 10 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0) X-Original-URL: /time/ X-Forwarded-For: 192.168.0.204:49247 X-ARR-LOG-ID: dbf06c50-adb0-4141-8c04-20bc2f193a61 |
|---|---|
| <multiple entries skipped for brevity> | |
| 345. | GENERAL_FLUSH_RESPONSE_END BytesSent=»0″, ErrorCode=»An operation was attempted on a nonexistent network connection. (0x800704cd)» 16:51:06.240 |
In the above example, we can see that the ARR server disconnected before the HTTP response was sent. The timestamp for GENERAL_FLUSH_RESPONSE_END can be used as a rough guide to find the corresponding entry in the IIS logs on the destination server.
date |
time |
s-ip |
cs-method |
cs-uri-stem |
cs-uri-query |
s-port |
cs-username |
sc-status |
sc-substatus |
sc-win32-status |
time-taken |
|---|---|---|---|---|---|---|---|---|---|---|---|
2011-07-18 |
16:51:06 |
92.168.0.216 |
GET |
/time/ |
- |
80 |
- |
200 |
0 |
64 |
45208 |
Note that IIS on the destination server logged an HTTP 200 status code, indicating that the request completed successfully. Also note that the win32 status has changed to 64, which maps to ERROR_NETNAME_DELETED. This generally indicates that the client (ARR being the ‘client’ in this case) had disconnected before the request completed.
What happened?
Only the ARR server is reporting a timeout, so that is where we should look first.
In the IIS log entry from the ARR server, we can see that the time-taken is very close to 30 seconds, but the member server log shows that it took 45 seconds (45208 ms) to send the response. This suggests that ARR is timing the request out, and if we check the proxy timeout in the server farm’s proxy settings, we will see that it is set to 30 seconds by default.
So in this case we can clearly see that the ARR timeout was shorter than the execution of the request. Therefore, you would want to investigate whether this execution time was normal or whether you would need to look at why the request was taking longer than expected. If this execution time was expected and normal, increasing the ARR timeout should resolve the error.
Other possible reasons for ERROR_WINHTTP_TIMEOUT include:
- ResolveTimeout: This occurs if name resolution takes longer than the specified timeout period.
- ConnectTimeout: This occurs if it takes longer than the specified timeout period to connect to the server after the name resolved.
- SendTimeout: If sending a request takes longer than this time-out value, the send operation is canceled.
- ReceiveTimeout: If a response takes longer than this time-out value, the request is canceled.
Looking at the first two examples, ResolveTimeout and ConnectTimeout, the troubleshooting methodology outlined above would not work. This is because you would not see any traffic on the target server and therefore would not know the error code. Thus in this case of ResolveTimeout or ConnectTimeout you would want to capture a WinHTTP trace for additional insight. See the WinHTTP/WEBIO Tracing section of this troubleshooter as well as the following blogs for additional examples on troubleshooting and tracing:
- 502.3 Bad Gateway «The operation timed out» with IIS Application Request Routing (ARR)
- Winhttp Tracing Options for Troubleshooting with Application Request Routing
502.3 Connection Termination Errors
502.3 errors are also returned when the connection between ARR and the member server is disconnected mid-stream. To test this type of problem, create a simple .aspx page that calls Response.Close(). In the following example there is a directory called «time» which is configured with a simple aspx page as the default document of that directory. When browsing to the directory, ARR will display this error:
Figure 2 (Click image to expand)
The error 0x80072efe corresponds to ERROR_INTERNET_CONNECTION_ABORTED. The request can be traced to the server that actually processed it using the same steps used earlier in this troubleshooter, with one exception; while Failed Request Tracing on the destination server shows the request was processed on the server, the associated log entry does not appear in the IIS logs. Instead, this request is logged in the HTTPERR log as follows:
[!code-consoleMain]
The built-in logs on the destination server do not provide any additional information about the problem, so the next step would be to gather a network trace from the ARR server. In the example above, the .aspx page called Response.Close() without returning any data. Viewing this in a network trace would show that a Connection: close HTTP header was coming from the destination server. With this information you could now start an investigation into why the Connection: close header was sent.
The error below is another example of an invalid response from the member server:
Figure 3 (Click image to expand)
In this example, ARR started to receive data from the client but something went wrong while reading the request entity body. This results in the 0x80072f78 error code being returned. To investigate further, use Network Monitor on the member server to get a network trace of the problem. This particular error example was created by calling Response.Close() in the ASP.net page after sending part of the response and then calling Response.Flush(). If the traffic between the ARR server and the member servers is over SSL, then WinHTTP tracing on Windows Server 2008 or WebIO tracing on Windows Server 2008 R2 may provide additional information. WebIO tracing is described later in this troubleshooter.
502.4 No appropriate server could be found to route the request
The HTTP 502.4 error with an associated error code of 0x00000000 generally indicates that all the members of the farm are either offline, or otherwise unreachable.
Figure 4 (Click image to expand)
The first step is to verify that the member servers are actually online. To check this, go to the «servers» node under the farm in the IIS Manager.
Figure 5 (Click image to expand)
Servers that are offline can be brought back online by right-clicking on the server name and choosing «Add to Load Balancing». If you cannot bring the servers back online, verify the member servers are reachable from the ARR server. The «trace Messages» pane on the «servers» page may also provide some clues about the problem. If you are using Web Farm Framework (WFF) 2.0, you may receive this error if the application pool restarts. You will need to restart the Web Farm Service to recover.
WinHTTP/WebIO Tracing
Usually, Network Monitor will provide you with the information you need to identify exactly what is timing out, however there are times (such as when the traffic is SSL encrypted) that you will need to try a different approach. On Windows 7 and Windows Server 2008R2 you can enable WinHTTP tracing using the netsh tool by running the following command from an administrative command prompt:
[!code-consoleMain]
Then, reproduce the problem. Once the problem is reproduced, stop the tracing by running the following command from the command prompt:
[!code-consoleMain]
The stop command will take a few seconds to finish. When it is done, you will find a net.etl file and a net.cab file in C:temp. The .cab file contains event logs and additional data that may prove helpful in analyzing the .etl file.
To analyze the log, open it in Netmon 3.4 or later. Make sure you have set up your parser profile as described here. Scroll through the trace until you find the w3wp.exe instance where ARR is running by correlating with the «UT process name» column. Right click on w3wp and choose «Add UT Process name to display filter». This will set the display filter similar to:
[!code-consoleMain]
You can further filter the results by changing it to the following:
[!code-consoleMain]
You will need to scroll through the output until you find the timeout error. In the example below, a request timed out because it took more than 30 seconds (ARR’s default timeout) to run.
| 336 | 2:32:22 PM | 7/22/2011 | 32.6380453 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver starts in _INIT state |
|---|---|---|---|---|---|---|
| 337 | 2:32:22 PM | 7/22/2011 | 32.6380489 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::current thread is not impersonating |
| 340 | 2:32:22 PM | 7/22/2011 | 32.6380584 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = ? (0x5b4), overlapped = 003728F0)) |
| 341 | 2:32:22 PM | 7/22/2011 | 32.6380606 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver failed to receive headers; error = ? (1460) |
| 342 | 2:32:22 PM | 7/22/2011 | 32.6380800 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::ERROR_WINHTTP_FROM_WIN32 mapped (?) 1460 to (ERROR_WINHTTP_TIMEOUT) 12002 |
| 343 | 2:32:22 PM | 7/22/2011 | 32.6380829 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse() |
| 344 | 2:32:22 PM | 7/22/2011 | 32.6380862 | w3wp.exe (1432) | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-req completes recv-headers inline (sync); error = ERROR_WINHTTP_TIMEOUT (12002) |
In this next example, the content server was completely offline:
| 42 | 2:26:39 PM | 7/22/2011 | 18.9279133 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::WinHttpReceiveResponse(0x11d23d0, 0x0) | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
|---|---|---|---|---|---|---|
| 43 | 2:26:39 PM | 7/22/2011 | 18.9279633 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver starts in _INIT state | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
| 44 | 2:26:39 PM | 7/22/2011 | 18.9280469 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::current thread is not impersonating | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
| 45 | 2:26:39 PM | 7/22/2011 | 18.9280776 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = WSAETIMEDOUT (0x274c), overlapped = 003728F0)) | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
| 46 | 2:26:39 PM | 7/22/2011 | 18.9280802 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver failed to receive headers; error = WSAETIMEDOUT (10060) | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
| 47 | 2:26:39 PM | 7/22/2011 | 18.9280926 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::ERROR_WINHTTP_FROM_WIN32 mapped (WSAETIMEDOUT) 10060 to (ERROR_WINHTTP_TIMEOUT) 12002 | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
| 48 | 2:26:39 PM | 7/22/2011 | 18.9280955 | WINHTTP_MicrosoftWindowsWinHttp | WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse() | {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3} |
Other Resources
- ERR.EXE
- Winhttp Error Codes
- Failed Request Tracing
- Winhttp Tracing
- Network Monitor
I ran into this same problem when I deployed my application. There were several problems on my end 
I went through this page very carefully: ASP.NET Core: Publishing to IIS
First, I didn’t have all parts of the .NET Core Windows Server Hosting bundle installed. I ended up doing a fremework-dependent deployment instead of a self-contained deployment. We have a lot of apps and don’t want/need each on their own versions of .net core. There would be way too many versions of .net on the box.
Also, note that if your admins performed any updates/upgrades to the server, they could have jacked up your ASP.NET Core installation (see ASP.NET Core: Publishing to IIS troubleshooting section)
Then, I had to fix my web.config… here is my working published web.config:
I didn’t publish as an *.exe, I did *.dll (notice my arguments value). Also, my processPath is set to «dotnet».
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".DT.Web.dll" stdoutLogEnabled="false" stdoutLogFile=".logsstdout" forwardWindowsAuthToken="false" />
</system.webServer>
</configuration>
Also, ensure that your project.json options are all set compatible with your server environment (see ASP.NET Core: Publishing to IIS troubleshooting section)
Here is a copy of the of my project.json if it can be of any help:
{
"version": "2.0.1.0",
"dependencies": {
"DT.Common": "2.*",
"DT.Configuration": "2.*",
"DT.Services": "2.*",
"DT.Web.ViewModels": "2.*",
"Microsoft.ApplicationInsights.AspNetCore": "1.0.2",
"Microsoft.AspNetCore.Authentication": "1.1.0",
"Microsoft.AspNetCore.Authentication.Cookies": "1.1.0",
"Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.1.0",
"Microsoft.AspNetCore.Diagnostics": "1.1.0",
"Microsoft.AspNetCore.Mvc": "1.1.0",
"Microsoft.AspNetCore.Razor.Tools": {
"version": "1.1.0-preview4-final",
"type": "build"
},
"Microsoft.AspNetCore.Routing": "1.1.0",
"Microsoft.AspNetCore.Server.IISIntegration": "1.1.0",
"Microsoft.AspNetCore.Server.IISIntegration.Tools": {
"version": "1.1.0-preview4-final",
"type": "build"
},
"Microsoft.AspNetCore.Server.Kestrel": "1.1.0",
"Microsoft.AspNetCore.Server.Kestrel.Https": "1.1.0",
"Microsoft.AspNetCore.Session": "1.0.0",
"Microsoft.AspNetCore.StaticFiles": "1.1.0",
"Microsoft.Extensions.Caching.SqlServer": "1.0.0",
"Microsoft.Extensions.Configuration.Abstractions": "1.1.0",
"Microsoft.Extensions.Configuration.FileExtensions": "1.1.0",
"Microsoft.Extensions.Configuration.Json": "1.1.0",
"Microsoft.Extensions.Logging.Console": "1.1.0",
"Microsoft.Extensions.Logging.Debug": "1.1.0",
"Microsoft.Extensions.Options.ConfigurationExtensions": "1.0.0",
"Microsoft.Graph": "1.1.1",
"Microsoft.IdentityModel.Clients.ActiveDirectory": "3.13.6"
},
"tools": {
"Microsoft.AspNetCore.Server.IISIntegration.Tools": "1.1.0-preview4-final",
"Microsoft.AspNetCore.Razor.Tools": {
"version": "1.1.0-preview4-final",
"imports": "portable-net45+win8+dotnet5.6"
},
"Microsoft.Extensions.Caching.SqlConfig.Tools": "1.1.0-preview4-final"
},
"frameworks": {
"netcoreapp1.1": {
"imports": [
"dotnet5.6",
"portable-net45+win8"
],
"dependencies": {
"Microsoft.NETCore.App": {
"version": "1.1.0",
"type": "platform"
}
}
}
},
"buildOptions": {
"emitEntryPoint": true,
"preserveCompilationContext": true
},
"runtimeOptions": {
"configProperties": {
"System.GC.Server": true
}
},
"publishOptions": {
"include": [
"wwwroot",
"views/**/*.cshtml",
"appsettings.json",
"appsettings.*.json",
"web.config"
]
},
"scripts": {
"prepublish": [ "bower install", "gulp buildprod" ],
"postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath% --framework %publish:FullTargetFramework%" ]
}
}
When deploying an ASP.NET Core application to IIS, you may find IIS returning HTTP Error 502.5 instead of your web page.
I recently hit this problem after manually modifying the web.config file. Fortunately, the problem is easy to fix.
In this post, we see two different causes of this error, two different solutions for the first cause, a solution for the second cause, and learn what needs to be in web.config for ASP.NET Core to operate.
The Error
Here is a screenshot of the HTTP Error 502.5 - Process Failure error. You’ll see this, in your browser, when making a request to your ASP.NET Core application, after deployment, if you have this issue.
Why do I get the error?
The HTTP Error 502.5 - Bad Gateway and HTTP Error 502.5 - Process Failure error messages occur in ASP.NET Core when IIS fails to execute the dotnet process.
I’ve seen this error happen for two different reasons:
- .NET Core Runtime is not installed
web.configfile has not been transformed
Fix 1a: Install the .NET Core Runtime
The most common reason for this to occur is when you haven’t installed the .NET Core runtime on the server.
You can download the latest .NET Core runtime from Microsoft’s .NET download page.
For Windows, you’ll usually want the latest .NET Core runtime (currently v2.1.1), as highlighted in the following screenshot:
This will get you the Windows Hosting Bundle Installer, which will install both the x86 and x64 runtimes on Windows Server.
Fix 1b: Publish a Self-Contained Deployment
If you don’t want to install the .NET Core Runtime. An alternative for .NET Core web applications is to publish them in the Self-Contained deployment mode, which includes the required .NET Runtime files alongside your application.
You can select this option from the advanced publish settings screen in Visual Studio:
If you go with this option, you’ll also need to choose a target runtime: win-x86, win-x64, osx-x64, or linux-x64. Because self-contained deployments are not portable.
Fix 2: Transform your web.config file
Another reason for this error to occur is when you deploy an untransformed web.config file.
This is likely to be your issue if you had a previously working web application and merely deployed a new version of it.
ASP.NET Core Web Config
In ASP.NET Core applications, the web.config file contains a handler that directs requests to the AspNetCoreModule and an aspNetCore element that defines and configures the ASP.NET Core process to execute your web application.
Here is a minimal web.config file for an ASP.NET Core application:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true"
stdoutLogFile=".logsstdout" forwardWindowsAuthToken="false"/>
</system.webServer>
</configuration>
Note that it’s possible that you don’t have a web.config file in your ASP.NET Core project. If you do not, one will be generated for you when publishing the project, as IIS and IIS Express require a web.config file when hosting an ASP.NET Core web app.
The Issue
The untransformed web.config contains the variables %LAUNCHER_PATH% and %LAUNCHER_ARGS% rather than the correct paths. When IIS tries to run ASP.NET Core, it uses %LAUNCHER_PATH% and %LAUNCHER_ARGS% rather than the correct path and arguments.
To fix the HTTP Error 502.5 in ASP.NET Core, you need to transform the web.config and replace the untransformed web.config file on the IIS web server.
How do I transform web.config?
This transformation takes place when you choose to publish your web application. The transformed web.config ends up in the published output folder. Therefore, you simply need to publish your web application and copy the resulting web.config file onto the server.
In a transformed web.config file, the aspNetCore element will look something like this:
<aspNetCore processPath="dotnet" arguments=".MyApplication.dll" stdoutLogEnabled="true"
stdoutLogFile=".logsstdout" forwardWindowsAuthToken="false" />
%LAUNCHER_PATH% has been replaced by dotnet and %LAUNCHER_ARGS% has been replaced by the path to the main web application dll .MyApplication.dll.
Addendum
Update (4th July 2018): The same error occurs when the .NET Core Runtime is not installed. So, I have updated the article to include the solution to this more common issue as well.
- Remove From My Forums
-
Question
-
User501190585 posted
I have OS Windows Server 2008 Standard SP2 with IIS 7.0 on which portal application is setup which has a Url Rewrite rules, as per the Web Pen Test report we have to disable weak ciphers and protocols so we disabled SSL3.0 and TLS1.0 and installed the support
patch and enabled registry for TLS 1.1 and TLS 1.2. But immediately after this steps I am getting error «502 — Web server received an invalid response while acting as a gateway or proxy server.» while communicating with rest service.We also did registry settings as per the post https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in and Enable the SchUseStrongCrypto property in
the Windows registry to use as the default protocols: TLS 1.1 and TLS 1.2 for below registry keys,HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NetFrameworkv4.0.30319
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319
But still I am getting same error. What else I am missing or is Windows Server 2008 standard SP2 and IIS 7.0 do not completely support TLS1.1 and TLS1.2. I feel this is something related to ARR and WinHttp but I am not getting any thing from web, any help
on this is really an appreciable.Thanks,
Prohharish
Answers
-
User501190585 posted
Hi All,
Thanks for your reply and assistance,
I am updating this thread after a long time as we have found the cause and solution and it is tested in to all our production environment. The issue was with the site using WinHttp for the communication, same is described in to the below link,
https://www.west-wind.com/wconnect/weblog/ShowEntry.blog?id=937
https://www.saowen.com/a/8205af06b51e040f54bfa2f9e766ad201fae071dbb637b5ff8df7534a324cfec
So, as WinHttp was unable to support the TLS 1.1, and TLS 1.2 on Windows server 2008 standard SP2 we have decided to update the servers to Windows server 2008 R2 and
do the TLS settings as described in above thread and it works for us.-
Marked as answer by
Tuesday, September 28, 2021 12:00 AM
-
Marked as answer by
When working with ARR deployments one of the errors you might see is 502.3 Bad Gateway. The 502.3 means while acting as a proxy ARR was unable to complete the request to the upstream server and subsequently send a response back to the client. This can happen for multiple reasons including , failure to connect to the server , no response from the server, or server took too long to respond (time out).
For the purposes of this post we are going to look at a timeout error and the data that can be gathered to help isolate the cause.
If you are looking at this post then you probably have already seen this error or something similar. This is shown in the browser when detailed errors are enabled in IIS.
Another way to identify the source of the 502.3 is with Failed Request Tracing logs in IIS configured to capture Status code 502.
From the message the key details are the ErrorCode which you can use to map to to the Winhttp error message, which in this case is ERROR_WINHTTP_TIMEOUT ( Reference WinHttp Error Codes). You will also see in the next line that this is translated to “The operation timed out”. Note that both the 0x80072ee2 and 2147954402 map to the same error ERROR_WINHTTP_TIMEOUT.
Now that we know its a timeout we need to determine what type of timeout occurred. Here is a list of the timeouts that can occur in Winhttp ( which if you haven’t guessed already is what ARR uses to proxy requests)
- ResolveTimeout : This occurs if name resolution takes longer than the specified timeout period.
- ConnectTimeout : This occurs if it takes longer than the specified timeout period to connect to the server after the name resolved.
- SendTimeout : If sending a request takes longer than this time-out value, the send is canceled.
- ReceiveTimeout : If a response takes longer than this time-out value, the request is canceled.
To identify what type of timeout we can use Winhttp’s built in logging,These can be enabled from the command line on the ARR server using NETSH.
- Winhttp Traces:
Following the example below you can search your log for WinHttpOpenRequest to find your request. The calls to WinHttpSetTimeouts are setting the 4 timeout values based on your ARR time settings found in the Proxy Configuration page of your ARR Server Farm or in the Server Proxy settings. Next we find WinHttpSendRequest then WinHttpReceiveResponse , so we know we are now in the receive stage. Finally we see that the error in is in RecvResponse so we know this is a ReceiveTimeout. For a different failure such as ResolveTimeout we would not see the log make it to WinHttpReceiveResponse and the failure would be logged earlier.
10:23:45.100 ::WinHttpOpenRequest(0x35a970, "GET", "/sleep/default.aspx", "HTTP/1.0", "", 0x0, 0x00000080) ………… 10:23:45.100 ::WinHttpSetTimeouts(0x2e42d80, 30000, 30000, 30000, 30000) 10:23:45.100 ::WinHttpSetTimeouts() returning TRUE …………10:23:45.100 ::WinHttpSendRequest(0x2e42d80, "Accept: */*rnAccept-Encoding: gzip, deflaternAccept-Language: en-CArnHost: contoso.com", 479, 0x0, 0, 0, 24794c0) …………10:24:15.397 ::Completing WinHttpSendRequest() with success; Request Handle = 02E42D80, Context = 024794C0, Buffer = 00000000 (0x0), Buffer Length = 0 10:24:15.397 ::WinHttpReceiveResponse(0x2e42d80, 0x0) ………… 10:24:15.397 ::sys-recver failed to receive headers; error = ? (1460) 10:24:15.397 ::ERROR_WINHTTP_FROM_WIN32 mapped (?) 1460 to (ERROR_WINHTTP_TIMEOUT) 12002 10:24:15.397 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse() 10:24:15.397 ::sys-req completes recv-headers inline (sync); error = ERROR_WINHTTP_TIMEOUT (12002)
Now that we know this is receive timeout we can look at the content server and see how long the request took.
-
IIS logs on the Content Server:
Examine the IIS logs on the content server and check the sc-status and sc-win32-status and time-taken fields. This will give you an idea of whether the request processed successfully ( sc-status = 200) and the time-taken to see if this exceeds your ARR timeout and if this is the expected execution time for your web page . You can determine from this whether you need to troubleshoot a long running application or simply increase the ARR timeout settings. Checking the Win32 field for errors such as 1236 (ERROR_CONNECTION_ABORTED) or 64 (ERROR_NETNAME_DELETED) indicate that something happened on the network layer such as a connection reset.
Using our example the IIS logs here show that the Request took ~35 seconds (time-taken=35615) , the request was processed successfully on the server (sc-status=200) , but there was a problem sending the request (sc-win32-status=64) which means the connection was gone when the content server tried to send the request. This was because the client (ARR) has already timed-out and closed the TCP connection.
#Software: Microsoft Internet Information Services 7.0 #Version: 1.0 #Date: 2010-06-23 20:11:33 #Fields:date time cs-method cs-uri-stem s-port sc-status sc-substatus sc-win32-status time-taken 2010-06-23 20:11:33 GET /sleep/default.aspx 80 200 0 64 35615
Summary
So in this case we can see that the request took >35 seconds which is longer than the default timeout in ARR. When this occurs ARR ( or Winhttp underlying ARR) will close the connection to the content server which is what cause the Win32 error 64.
Now its up to you to determine whether its acceptable that your page is running for 35 seconds and you just need to increase time outs in ARR.
Since the application issues are beyond the scope of this blog I’ll leave you with two command lines for setting ARR timeouts for either a Server Proxy configuration or Server Farms.
Server Proxy : appcmd.exe set config -section:system.webServer/proxy /timeout:»00:00:45″ /commit:apphost
Server Farm : appcmd.exe set config -section:webFarms /[name=’ArrFarm’].applicationRequestRouting.protocol.timeout:»00:00:45″ /commit:apphost
References
WinHttpSetTimeouts Function
Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)
Failed Request Tracing in IIS (FREB)
UPDATE : New Post for Winhttp Tracing Methods
ARR on IIS.NET
Problem
In an IBM Cognos Analytics environment with the Microsoft IIS webserver installed with a gateway, users see HTTP 502 Bad Gateway errors when long-running requests are sent through the IIS webserver.
Diagnosing The Problem
Review when users see the HTTP 502 Bad gateway errors. These errors can occur in the following situations:
- A client tool such as Powerplay is using the IIS webserver in the Gateway URI field, and users run reports based on Powerplay cubes
- Users run large reports from IBM Cognos or an integrated tool such as IBM Cognos for Microsoft Office.
If possible, test with logging in to IBM Cognos through the dispatcher URI to run the report to ensure that this issue does not occur.
Resolving The Problem
Set the IIS Application Request Routing (ARR) timeout to a higher setting. The default is 120 seconds, at which point ARR times out the request. Test setting the timeout to 160 and restarting the IIS server.
If a server farm is being used (two or more dispatchers are configured for routing in IIS), the timeout is located in:
- IIS > Server Farm > Proxy > Timeout
- Restart IIS
If a server farm is not being used, the timeout is located in:
- IIS > Server Name (under Start Page) > ARR Cache > Server Proxy Settings > Timeout
- Restart IIS
The HTTP 502 Bad Gateway error can also be attributed to an SSL issue. If SSL is enabled in the IBM Cognos components, review
this guide
.
Related Information
Document Location
Worldwide
[{«Type»:»MASTER»,»Line of Business»:{«code»:»LOB10″,»label»:»Data and AI»},»Business Unit»:{«code»:»BU059″,»label»:»IBM Software w/o TPS»},»Product»:{«code»:»SSTSF6″,»label»:»IBM Cognos Analytics»},»ARM Category»:[{«code»:»a8m50000000Cl6dAAC»,»label»:»Installation and Configuration-u003EWeb Server»}],»ARM Case Number»:»»,»Platform»:[{«code»:»PF033″,»label»:»Windows»}],»Version»:»All Versions»}]