azure front door error:OpenSSL SSL_connect: SSL_ERROR_SYSCALL

Question

I have an APIM instance abstracted behind azure front door (Azure front door classic). Recently in our consumer application we are seeing error saying

OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to azfd-appname-p01.azurefd.net:443  

We do not have diagnostic setting enabled at azure front door and I cant see any error being logged in APIM. the error is occuring only once in a while. Could azure front door classic might be the reason for this issue or is there anywhere I can detect the reason without enabling the logs?

Answer 1

It is possible that the issue is related to Azure Front Door’s DDoS mitigation strategy. Where Azure Front Door is sending Reset after client hello. While RSTs can happen for various reasons, they are also sent by AFD during a DDoS attack as one part of AFD’s DDoS mitigation strategy.

• Check if you can have retries in your application on connection reset by peer as it can help mitigate the impact of the issue
• Check for firewalls or proxies that does not allow invalid SYN-ACK (sequence number) going back to your clients. Firewalls or proxies that are overly strict might interfere with the normal operation of the SSL/TLS handshake.
• You can Enable diagnostic logging for Azure Front Door to to get detailed information about the error. Refer

Connect to the backend by using -servername. It should return the SNI, which needs to match with the FQDN of the backend pool:

openssl s_client -connect backendvm.contoso.com:443 -servername backendvm.contoso.com

If the issue persists with your application and network devices, raising a support request with Azure is a logical next step. The Azure Front Door team can provide more in-depth analysis and assistance in identifying and mitigating the issue.

Reference:

Troubleshoot Azure Front Door common issues | Microsoft Learn