This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Sharepoint on GCP: upstream connect error or disconnect/reset before headers. reset

Posted on 05-26-2024 09:23 PM
sijohnmathew
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

We have setup Sharepoint farm on Compute engine and the Regional Application Load Balancer configured with a SSL Certificate on the Load Balancer. The same certificate is loaded to the IIS servers on the Sharepoint Frontend servers as well.

We are getting the below error very often when we access the application from Browser. Also during our JMeter testing, we get the below error 50% of the time.

upstream connect error or disconnect/reset before headers. reset reason: remote connection failure, transport failure reason: TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end:TLS_error_end

The architecture of application is attached here. Is it caused by SSL Terminating at LoadBalancer level and then again LoadBalancer is trying to initiate another SSL connection to the Sharepoint Frontend servers ?

Where do i troubleshoot LoadBalancer logs.sharepoint_farm.png

Solved Solved
2 3 1,466
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AndrewB
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

The root cause of the problem is that the load balancer terminates SSL, and then attempts to re-establish a new SSL connection to the SharePoint servers. This double SSL handshake is causing issues.

Here's why this can happen:

  1. SSL Termination at Load Balancer: When the load balancer terminates SSL, it decrypts the traffic from the browser and re-encrypts it before forwarding it to the backend servers.

  2. New SSL Connection: The load balancer then attempts to establish a new SSL connection to the SharePoint servers. This is where the issue arises.

  3. Mismatched TLS Versions: The load balancer might be trying to use a TLS version that the SharePoint servers don't support, or vice versa. This results in the "WRONG_VERSION_NUMBER" error.

To avoid this double SSL handshake, consider configuring the load balancer to pass-through SSL traffic to the SharePoint servers. This means that the load balancer will not terminate SSL. Instead, it will forward the encrypted traffic directly to the SharePoint servers, which will handle SSL termination.

Analyzing Load Balancer Logs:

  • Access Load Balancer Logs: In the Google Cloud Console, go to "Logging" -> "Logs Explorer."
  • Filter Logs: Use the following filters:
    • resource.type="http_load_balancer"
    • severity="ERROR"
    • Add keywords like "TLS," "SSL," or "WRONG_VERSION_NUMBER" to narrow down relevant logs.

View solution in original post

Jump to Solution
3 REPLIES 3
Top Labels in this Space
Top Solution Authors
View all