Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
arcabah
Staff
Staff

Created on ‎10-23-2024 10:39 PM

Article Id 351069

Troubleshooting Tip: How to troubleshoot 502 errors due illegal message headers in FortiADC

Description

 

This article describes the procedure to troubleshoot 502 errors showed in a Layer 7 Virtual Server deployed in FortiADC regarding illegal message headers.

 

Scope

 

FortiADC.

 

Solution

 

The HTTP 502 (Bad Gateway) error code means that one server got an invalid response from another server, so this is an error that sends the Virtual Server in FortiADC to the final client.

Troubleshooting steps:

  1. Gather the httpproxy debug on the FortiADC, by applying the following filter:

 

diagnose debug module ssl-of-httproxy all set
diagnose debug module httproxy ssl_ae_info
diagnose debug module httproxy all
diagnose debug module httproxy set-filter srcip=x.x.x.x(client IP address)
diagnose debug module httproxy set-filter vsname=(VSname)
diagnose debug enable

 

Replace the x.x.x.x for the client IP address and vsname with the name of the related Virtual Server.

 

  1. Perform a packet capture on the FortiADC GUI, under Network -> Packet Capture, and create three packet captures as follows:
  • IP of the final client, maximum packets 10,000, select the proper interface.
  • IP of the Virtual Server, maximum packets 10,000, select the proper interface.
  • IP of the Real Server, maximum packets 10,000, select the proper interface.

 

  1. Reproduce the issue by hitting the Virtual Server and once the debug and packet capture are gathered, the next step is to decrypt the packet captures generated with information of the httpproxy debug outputs, based on this document: FortiADC decrypt traffic on HTTPS TCP/443
  2. Review the packet captures in a tool like Wireshark and review the reason for the 502 error:

 

502-errors-004.png

 

  1. In the example shown, before to receive the 502 error, the FortiADC is sending the RST packet to the Real Server, the reason is an illegal character found in the header name:

 

502-error-001.jpg

 

  1. FortiADC complies with the standard RFC 2616 where the field names are case-sensitive, in this example, the header name 'Cache Control' has a blank space and needs to be changed to 'Cache-Control' on the application layer, to get aligned with the RFC2616 standard, otherwise, the FortiADC will return the 502 error as invalid characters in the header name.

 

Related document:

RFC 2616

88
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.