ARR 2016 redirect to Wrong IP address (OLD Rule) [Answered]RSS

9 replies

Last post Dec 17, 2019 07:23 AM by Fhaddad81

  • ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 14, 2019 09:52 AM|Fhaddad81|LINK

    Hello,

    Whenever I create  new farm on ARR on windows server 2016 to the correct destination IP. user request got "502 web server received an invalid response while acting as a gateway" error.  I found out the issue that that any new rule has been redirected to last rule IP.

    EX:

    Rule X created successfully and server Farm IP is 10.10.8.2

    Rule Y created successfully and server Farm IP is 10.10.11.12

    if user request the website on Rule x it will work as requested but rule Y no ARR redirect the request to wrong IP 10.10.8.2

    Best Regards

  • Rovastar Rovastar

    5420 Posts

    MVP

    Moderator

    Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 14, 2019 12:22 PM|Rovastar|LINK

    This could be for a lot of reasons. There could be something wrong with your rule or you logic is incorrect.

    You should go through failed request tracing to see if the rewrite rules function as intended and if that don't match some conditions.

    https://forums.iis.net/t/1193146.aspx?Rule+not+working+as+expected+Use+Failed+Request+Tracing

    I would recreate your rewrite rules by hand and not use the wizard. Setup a new farm and select no to recreate rewrite rules and do that yourself. This gives you greater flexibility for your farm rules and is a bit more visability and understanding of your farms setup.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 15, 2019 06:31 AM|Fhaddad81|LINK

    Hello Rovastar

    My troubleshooting makes sense so far because i can read the wrong IP on IIS log under W3SVC1 folder

    "x-arr-cache-hit=0&server-routed=10.x.x.x."

    the error code is 502 3.

  • Rovastar Rovastar

    5420 Posts

    MVP

    Moderator

    Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 15, 2019 11:44 AM|Rovastar|LINK

    Yes you can confirm you are hitting the wrong server. I'm trying to understand why.
    Maybe you are matching the wrong information in your rule and it is going that the wrong farm.
    Maybe it is the ordering of your rulues?!


    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 15, 2019 06:26 PM|Fhaddad81|LINK

    Hello,

    My rule is configured correctly on arr console and IIs configuration file.

    I deployed failed request tracking but still my new rule will be forwarded to the one that created before the new one.

    Any idea to clear cashe (I disabled cache on Disk)
  • Rovastar Rovastar

    5420 Posts

    MVP

    Moderator

    Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 15, 2019 06:37 PM|Rovastar|LINK

    Can you post your rewrite rules here from the applicationhost.Config and example of the url you are entering and the desired outcome.
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 16, 2019 07:34 AM|Fhaddad81|LINK

    hello,

    as you can see on below text  my request was being evaluated twice by same rule (the one that before last rule) , in first time it failed as it should on the second time it success and forwarded to wrong ip as per below text on IIS logs.

    I tired to re-create them but no luck and if i create Rule B then Rule A or vice versa the same problem will occur 

    1: failed Request Tracking logs

    ******************************************
    "380. CONDITIONS_EVALUATION_START LogicalGrouping="MatchAll" 07:23:59.235
    381. CONDITION_EVALUATION Input="{HTTPS}", ExpandedInput="on", MatchType="Pattern", Pattern="on", Negate="false", Succeeded="true" 07:23:59.235
    382. CONDITION_EVALUATION Input="{HTTP_HOST}", ExpandedInput="*ccepicor.***.net", MatchType="Pattern", Pattern="atlaszfce*", Negate="false", Succeeded="false" 07:23:59.235
    383. CONDITIONS_EVALUATION_END Succeeded="false" 07:23:59.235
    384. RULE_EVALUATION_END RuleName="ARR_atlaszfce.***.net_loadbalance_SSL", RequestURL="", QueryString="", StopProcessing="true", Succeeded="false" 07:23:59.235
    385. RULE_EVALUATION_START RuleName="ARR_atlaszfce.***.net_loadbalance", RequestURL="", QueryString="", PatternSyntax="Wildcard", StopProcessing="true", RelativePath="/" 07:23:59.235
    386. PATTERN_MATCH Pattern="*", Input="", Negate="false", Matched="true" 07:23:59.235
    387. REWRITE_ACTION Substitution="http://atlaszfce.***.net/{R:0}", RewriteURL="http://atlaszfce.***.net/", AppendQueryString="true", LogRewrittenURL="false" 07:23:59.235
    388. RULE_EVALUATION_END RuleName="ARR_atlaszfce.***.net_loadbalance", RequestURL="http://atlaszfce.***.net/", QueryString="", StopProcessing="true", Succeeded="true" 07:23:59.235
    389. REWRITE_DISABLED_KERNEL_CACHE

    Warning
    07:23:59.235
    390. GENERAL_SET_REQUEST_HEADER HeaderName="X-Original-URL", HeaderValue="/", Replace="true" 07:23:59.235
    391. URL_CHANGED OldUrl="/", NewUrl="http://atlaszfce.***.net/" 07:23:59.235
    392. URL_REWRITE_END RequestURL="http://atlaszfce.***.net/" 07:23:59.235
    393. GENERAL_ENDPOINT_INFORMATION RemoteAddress="91.73.81.149", RemotePort="35024", LocalAddress="192.168.72.217", LocalPort="443" 07:23:59.235
    394. GENERAL_REQUEST_HEADERS Headers="Cache-Control: max-age=0
    Connection: close
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9,ar;q=0.8
    Host: *ccepicor.***.net
    User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N960F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Mobile Safari/537.36
    save-data: on
    upgrade-insecure-requests: 1
    sec-fetch-user: ?1
    sec-fetch-site: none
    sec-fetch-mode: navigate"
    *****************************************************
    2) IIS Log:

    2019-12-16 06:43:19 W3SVC1 ENG-DMZ-ARR 192.168.72.217 GET / X-ARR-CACHE-HIT=0&SERVER-ROUTED=10.4.146.11&X-ARR-LOG-ID=ef33d357-07a3-4c59-8c30-7e9596b2331e 443 - 91.74.79.98 HTTP/2.0 Mozilla/5.0+(Linux;+Android+9;+SM-N960F)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/79.0.3945.79+Mobile+Safari/537.36 - - *ccepicor.***.net 502 3 64 0 540 21031

    3)Web Farm from 

    <webFarm name="atlaszfce.**.net" enabled="true">
    <server address="10.4.146.11" enabled="true" />
    <applicationRequestRouting>
    <protocol timeout="00:02:00">
    <cache enabled="false" />
    </protocol>
    </applicationRequestRouting>
    </webFarm>
    <webFarm name="*ccepicor.**.net" enabled="true">
    <server address="10.4.224.6" enabled="true" />
    <applicationRequestRouting>
    <protocol timeout="00:02:00">
    <cache enabled="false" />
    </protocol>
    </applicationRequestRouting>
    </webFarm>

    4) rewrite rule 

    <rule name="ARR_atlaszfce.***.net_loadbalance_SSL" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{HTTPS}" pattern="on" />
    <add input="{HTTP_HOST}" pattern="atlaszfce*" />
    </conditions>
    <action type="Rewrite" url="https://atlaszfce.***.net/{R:0}" />
    </rule>
    <rule name="ARR_atlaszfce.***.net_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <action type="Rewrite" url="http://atlaszfce.***.net/{R:0}" />
    </rule>
    <rule name="ARR_*ccepicor.***.net_loadbalance_SSL" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{HTTPS}" pattern="on" />
    <add input="{HTTP_Host}" pattern="*ccepicor.*" />
    </conditions>
    <action type="Rewrite" url="https://*ccepicor.***.net/{R:0}" />
    </rule>
    <rule name="ARR_*ccepicor.***.net_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <action type="Rewrite" url="http://*ccepicor.***.net/{R:0}" />
    </rule>
    </globalRules>
    <rewriteMaps>

  • Rovastar Rovastar

    5420 Posts

    MVP

    Moderator

    Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 16, 2019 06:57 PM|Rovastar|LINK

    Quickly lookings it seems that your second rule is the problem. It captures any input and redirects it the farm for http://atlaszfce.***.net/{R:0}

    This rule here:

    <rule name="ARR_atlaszfce.***.net_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <action type="Rewrite" url="http://atlaszfce.***.net/{R:0}" />
    </rule>

    Put a condition in there to limit it to a certain host header or something relevant to only that rule. You seem to have done a bit of fit with your SSL rule above this one but it is missing here.

    Make sure you have the explicit reasons for the rules be that that a pattern URL match or more commonly the host header condition for each one rule.

    and you can see this in your fail trace requesting

    385. RULE_EVALUATION_START RuleName="ARR_atlaszfce.***.net_loadbalance", RequestURL="", QueryString="", PatternSyntax="Wildcard", StopProcessing="true", RelativePath="/" 07:23:59.235
    386. PATTERN_MATCH Pattern="*", Input="", Negate="false", Matched="true" 07:23:59.235
    387. REWRITE_ACTION Substitution="http://atlaszfce.***.net/{R:0}", RewriteURL="http://atlaszfce.***.net/", AppendQueryString="true", LogRewrittenURL="false" 07:23:59.235

    388. RULE_EVALUATION_END RuleName="ARR_atlaszfce.***.net_loadbalance", RequestURL="http://atlaszfce.***.net/", QueryString="", StopProcessing="true", Succeeded="true" 07:23:59.235

    It is succeeding on this rule the only thing it matches is the pattern of "*" (i.e. anything) as that is the only requirement to match for this rule to be used.


    Also looking at the rules I expect that the https:// would work all ok for you atm and this is an issue just with http://  requets to your new farm. is that correct?

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5420 Posts

    MVP

    Moderator

    Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 16, 2019 07:39 PM|Rovastar|LINK

    Also so you are aware of the logic taking place even in the rules that are "working" for request to the atlaszfce.***.net domain going to a farm call atlaszfce.***.net

    so these 2 you have:

    <rule name="ARR_atlaszfce.***.net_loadbalance_SSL" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{HTTPS}" pattern="on" />
    <add input="{HTTP_HOST}" pattern="atlaszfce*" />
    </conditions>
    <action type="Rewrite" url="https://atlaszfce.***.net/{R:0}" />
    </rule>
    <rule name="ARR_atlaszfce.***.net_loadbalance" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <action type="Rewrite" url="http://atlaszfce.***.net/{R:0}" />
    </rule>

    Now you don't probably need 2 rules here. But I am unclear what you desire.

    I imagine you want all traffic to the same place/farm in teh same way.

    ARR_atlaszfce.***.net_loadbalance_SSL rule say all request (Match matching *) AND are HTTPS requests AND have atlaszfce* in the domain name will goto your backend farm called atlaszfce.***.net as a https request.

    Your other rule as we have said before does not ahve any conditions and everything is send to the new farm but this is as a http request (not https)

    Now the ordering of the rules is equally important in URLrewrite and ARR farms. AS it will  match the https request in teh forst rule and only http in the second.

    There are many ways to "fix" the behavior of saying I only want http traffic to the backend (offloading it is called) or you might want everything to be super secure and have all requests make a new https request. I am not sure of your requirements.

    Personally to have a new rule in my ARR that say I want all traffic even hitting here to be https - a blanket http to https rule for all traffic as it simplifies later on and you don't even have to consider looking at the https flag for any farm checks (but I do have hundreds of farms on ARR) and I either want all traffic to be offloaded or not depending on the farm.

    (I use regular expressions inside of wildcard throughout too so excuse any syntax differences)

    It gets crazy complex if you want it to I make sure explicit host headers are defined too as that is bit me before.

    so host header condition matching ^abc.mysite.com for abc farm

    and ^xyz.mysite.com for xyz farm

    as just having "abc" in the match for abc farm has been an issue when traffic was going to say a new site and farm liekdifferentsiteabc.com and it matching the wrong rule.

    Following it through with failed tracing helps though but often a mistake on teh ARR taht all traffic might flow through can break everything! :/

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2016 redirect to Wrong IP address (OLD Rule)

    Dec 17, 2019 07:23 AM|Fhaddad81|LINK

    Thanks . Your quicky looking pay my attention to what I missed during configuration although this is not our first rule but recently we blocked access to any website over http only https is allowed so by mistake I keep http rules as default which is "*" as you said.

    I deleted the http rules for both website and it's working fine.

    Thank you again .

    Best regards