IIS 10 briefly fails to load HTTPS page with TCP RSTRSS

3 replies

Last post Jul 22, 2019 09:32 AM by cloudreign

  • IIS 10 briefly fails to load HTTPS page with TCP RST

    Jul 10, 2019 09:35 AM|cloudreign|LINK

    Hi,

    I'm using IIS 10.0 on Windows Server 2016.

    A web site is published with both HTTP and HTTPS bindings, this web site is in fact the Okta IWA Desktop SSO agent.

    • The certificate used for HTTPS is an internal certificate generated with ADCS.
    • The site works as expected with both Internet Explorer 11 and Chrome 75 when browsing from a location with low latency towards the server.

    However when browsing from a location with higher latency (315 to 325ms) with Chrome and using HTTPS I briefly get an error page "This site can't be reached" and then I get the expected page.

    • When using Internet Explorer there is not issue.
    • When using Chrome with HTTP there is no issue.

    When the issue occurs the HTTP.sys logs show a ClientCancel error.

    I also captured network traffic with Wireshark while reproducing the issue and compared it to a trace from a low latency location.

    I noticed the following when the issue is occuring:

    • I see three TCP RST. One is sent by the client and two are sent by the server afterwards.
    • After the second TCP RST a HTTP_1_1_REQUIRED error is sent by the server

    Any idea on the possible cause of this behavior?

  • Re: IIS 10 briefly fails to load HTTPS page with TCP RST

    Jul 10, 2019 02:51 PM|lextm|LINK

    Please open a support case via http://support.microsoft.com and share your packet capture with them. A thorough analysis on packets might reveal what's the culprit.

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS 10 briefly fails to load HTTPS page with TCP RST

    Jul 10, 2019 03:46 PM|cloudreign|LINK

    Thanks for your answer.

    I did open a case with Microsoft and shared the capture a few hours ago.

    They are analyzing the capture, I will post the outcome of the troubleshooting here.

  • Re: IIS 10 briefly fails to load HTTPS page with TCP RST

    Jul 22, 2019 09:32 AM|cloudreign|LINK

    Hi,

    Some progress has been made on this issue.

    The Wireshark traces allowed to identify that the issue is occuring when falling back from HTTP/2 to HTTP/1.1.

    This fallback occurs because the Okta IWA Desktop SSO web app is using Windows authentication and as stated here in the IIS 10 documentation HTTP/2 is not supported when using Windows authentication.

    Thus I disabled HTTP/2 on the web server by setting the following registry value and rebooting the server:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

    "EnableHttp2Tls"=dword:00000000

    After the reboot the issue was gone.

    It is an acceptable workaround since the IIS web server is only used for the Okta IWA Desktop SSO and it prevents all clients to fall back from HTTP/2 to HTTP/1.1.

    Okta has confirmed that at the time of this writing it is a supported configuration for them.

    However it is still a workaround and the root cause of the issue has not been identified yet.

    The case is still open with Microsoft and I will update this thread if additional insight is provided.