We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Suspended apps/apppools - issue with SSL connectivity?RSS

12 replies

Last post Jul 26, 2017 08:38 AM by Yuk Ding

  • Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 07:55 AM|Webio|LINK

    Hello,

    System (Windows Server 2016 Standard) with about 1.5k websites. I've switched app pools from terminate after 30 minutes to suspend after 10 minutes. After about one day system has about 1.1k running processes and it works fine. After about 24h after switching to suspension websites are becoming not accessible over ... SSL (the same sites are available over normal HTTP connection). Nothing has changed, all bindings are fine, SSL certificates are there but no site is available over https connection ("ERR_CONNECTION_RESET" error in browser). Httperr log files are also not showing anything special. Windows event log is also not showing anything particular. Is this possible that that amount of running w3wp processes which at least in some part where suspended could couse this problem? Running iisreset is not helping and only system restart helped. I've also noticed that editing website bindings using IIS Manager was freezing after pressing saving bindings configuration.

    Anyone experienced similar issue?

    Thanks

  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 11:36 AM|Rovastar|LINK

    I don't use the suspend function in the app pool idle action. I have always terminated it.

    maybe this part of the overall issues.

    I am not sure how the SSL connectivity works with long timed out and suspended mode. I would I expect have to have a new SSL handshake not sure where IIS will resume the app pool.

    If you can recreate this I would look at what happens at the packet level for this. Maybe they all do it.

    Maybe it SSL with SNI....

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 11:58 AM|Webio|LINK

    I also thought about SNI but I have also sites on dedicated IPs without SNI and they also where not accessible locally and over net.

    It occured one day after enabling suspension on server but it doesn't look like it is related but who knows. Most interesting thing is that performing iisreset is not helping.

  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 12:41 PM|Paul Lynch|LINK

    Hi,

    I think that to scale to the level that you describe you need to be using SNI and the Webhosting certificate store. You may have found a bug but it's more likely that you are just bending it until it breaks.

    https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

    Regards,

    Paul Lynch
    MCSE
  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 01:10 PM|Rovastar|LINK

    Webio

     Running iisreset is not helping and only system restart helped. I've also noticed that editing website bindings using IIS Manager was freezing after pressing saving bindings configuration.

    That may not be directly related. This could just be a large applicationhost config file when this is saved. I imagine your is fairly large with all those sites. How big is it?

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 13, 2017 04:34 PM|Webio|LINK

    applicationHost.config using 6220 kB. Actually I have bigger applicationHost.config files on my other systems (not much but bigger). When it comes to certificates I don't have much of them. Personal certificate store contains 38 certificates and Web Hosting certificate store has 153 certificaes. Most of them are Lets Encrypt and Rapid SSL. Most of them are used using SNI. Ones which are used on dedicated IP address are from time of Windows 2008 R2 when SNI was not available (system was upgraded 2008 R2 -> 2012 R2 -> 2016 over time).

    Do you think that I could catch issues with applicationHost.config file using ProcessMonitor with Path filtering ("applicationHost.config") enabled if this issue will return?

    IMHO this is not related to applicationHost.config because the same site was accessible over http but not accessible over https. Totally weird situation and hard to troubleshoot.

  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 14, 2017 09:02 AM|Yuk Ding|LINK

    Hi Webio,

    Have you tried to use netsh http command to monitor the ssl binding condition and add the IP address to iplisten list?

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 14, 2017 09:09 AM|Webio|LINK

    Nope. I'll do that next time if issue occur.

    iplisten list is empty so IIS is listening on all IP addresses.

  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 17, 2017 11:47 AM|Webio|LINK

    Interesting situation. IIS perfmon Current Connections for Web Service is now about 1435. Client is calling that his website is not accessible randomly on SSL. It works partially on my end but no .js or .css files are being loaded. When I check .css or .js file I'm getting "ERR_CONNECTION_RESET" in Chrome browser BUT when I try from the same browser in incognito mode .css file is being loaded correctly.

    EDIT: I was wondering if resetting application using almost half of all current connections could help I've restarted it but it was not starting again. Issue is related to this one:

    https://forums.iis.net/t/1236013.aspx?Timeout+for+some+of+websites+after+they+stopped+for+any+reason+while+other+worked+just+fine+iisreset+was+only+solution+

    High volume page was loading forever and only solution was to perform iisreset. Other systems have current connections Web Service counter levels at about 800 so it looks like something wrong is going on when this number is higher above 1k level.

  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 18, 2017 05:52 AM|Webio|LINK

    Ok now I found something totally crazy. Take a look at this:

    https://www.dropbox.com/s/8rg4ll6g6d8tafa/mstsc_2017-07-18_07-43-54.png?dl=0

    I have set IIS to recycle app pools at 0:30. 

    EDIT: Another interesting thing is that website which yesterday "used" about 750 current connections today is almost idle so it looks like high current connection usage has "moved" to different website and is for sure not normal since across my other www systems during day current connections usage has about 800 for whole system so there is no way that a large number of connections are "switching" from one website to another.

    EDIT2: Another thing I find odd is Current Anonymous Users counter. Before iisreset it was about 4.5 billion. Similar to level posted here: https://github.com/IdentityServer/IdentityServer3/issues/1881 . After iireset thi value for a moment was at low level but it quickly returned to 4.2 billion.

  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 18, 2017 04:48 PM|Rovastar|LINK

    You will need to look more at the traffic hitting that site to explain the rise in numbers. Counters only give you an indication of what is occurring. You will need to wade through your logs to see what is causing this,.

    One thing that puzzle me though is why you have your app pool recycle time at the crazy low 30 minutes. I cannot believe that helps issues here. You will be constantly recycling app pools as you have a lot of them. What is your reason for this?

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 18, 2017 05:35 PM|Webio|LINK

    Current scenario is set to suspend after 10 minutes with recycling all apps at 0:30 after midnight and after exactly this moment current connections started to rise as you can see on chart. This is for sure somehow related to recycling apps at 0:30 AM but why? I have no idea especially if the site which had yesterday about 800 connections had average 14 today.

  • Re: Suspended apps/apppools - issue with SSL connectivity?

    Jul 26, 2017 08:38 AM|Yuk Ding|LINK

    Hi Webio,

    Do you mean that the IIS become unavailable immediately when you set the terminate to suspend? What if set the start mode to always running.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.