Common Load Balancer Errors

• lbStatusCode: "502"

• backendStatusCode: "502"

• The client fails with a 502 Bad Gateway error.

• The backend health check succeeds.

• The backend returns a 502 error.

• An application on the backend is returning a 502 error.

• The backend is configured incorrectly.

• The backend is likely another reverse proxy or load balancer.

• lbStatusCode: "502"

• backendStatusCode: ""

• No healthy backends available in associated backend set

• The client fails with a 502 Bad Gateway error.

• The backend health check fails.

• No traffic observed to a specific backend or all backends.

• A backend application is not responding to the health check with the expected response.

• If no error occurs from the backend, then a TCP health check is configured.

• A single backend or all backends are configured in drain mode.

• Determine why TCP health check is failing.

• Convert to HTTP health check.

• Change the drain mode to false (undrain) for a given backend or all backends.

Persistence selected backend ip_address which failed and no_fallback is selected

• The client fails with a 502 Bad Gateway error.

• Session persistence is failing.

• Backend set is configured with session persistence and the expected backend is not available because the connection failed or timed out.

• Fallback option is disabled.

• Determine why backend application is not reachable.

• Enable fallback option in case the selected server is unavailable.

• lbStatusCode: "400"

• backendStatusCode: ""

• 400 bad request header or cookie too large

• The load balancer returns a status code 400.

• The backend does not return a status code.

• lbStatusCode: "404"

• backendStatusCode: "404"

• The load balancer returns a 404 status code.

• The backend returns a 404 status code.

• Create the missing page.

• Configure the client to call the correct page.

• lbStatusCode: "403"

• backendStatusCode: "403"

• The load balancer returns a 403 status code.

• The backend returns a 403 status code.

• Expected page does not have sufficient permission on the backend.

• Expected authentication token is missing or not being forwarded.

No healthy backends available in associated backendSet

• No backends in the backend set.

• No backends responding to health check.

• Determine why backends aren't responding to health check.

• Check and adjust any health check settings, including status code, regular expressions, interval timeout, port, and protocol.

Status code mismatch

• The backend fails the health check.

• The client fails with a 502 Bad Gateway error.

• invalid statusCode appears in the error logs.

• The backend is responding with an incorrect response code.

• The backend health check fails because of response code mismatch.

• The health check failures are because of an unexpected status code in the regular expression body.

• Determine why the backend is sending the incorrect response code.

• Adjust the path or status code of the health check to match the backend.

"response match result: failed"

• The backend fails the health check.

• The client fails with a 502 Bad Gateway error.

• "response match result: failed" appears in the error logs.

• Determine why the backend is sending the incorrect body.

• Adjust the path or regular expression pattern of the health check to match the backend.

"errno":"EHOSTUNREACH","syscall":"connect"

"ECONNREFUSED","errno":"ECONNREFUSED"

• The backend fails the health check.

• The client fails with a 502 Bad Gateway error.

• "EHOSTUNREACH" appears in error logs.

• The backend health check fails because of an unreachable host.

• The backend health check fails because of a connection reset.

• An application or firewall is actively refusing the connection.

• Check the local instance firewall to confirm that traffic is being allowed.

• Check the local instance to confirm that the application is running.

• Check the network security group and security lists to confirm that traffic is allowed.

"healthStatus":"Unhealthy to Healthy"

"healthStatus":"Healthy to Unhealthy"

• The client behaves as expected but fails periodically.

• The backend switches between passing and failing the health check.

• "Unhealthy to Healthy" or "Healthy to Unhealthy" appears in error logs.

• An unhealthy backend becomes healthy.

• If the health status of the backend changes often, it can indicate a chronic problem.

• Ensure that the instance is not changing health status abnormally.

• Check application logs on the backend server for any application-specific issues.

"msg":"connect timed out","elapsed":3000}

• The client fails with a 502 Bad Gateway error.

• The backend is periodically or chronically failing health checks.

• "connect timed out" appears in the error logs.

• The backend server is not responding to health checks in the expected time period.

• Slow upstream dependency including, database, application service or API, or slow storage services, such as Oracle Cloud Infrastructure File Storage service, Elastic Block Store, or Object Storage.

• Perform a local test to the backend to eliminate the load balancer as a cause.

• Check the performance of all upstream dependencies.

• Check application logs on the backend server for any dependencies reporting any sort of timeout.

Not all SSL virtual listeners on port 443 have the same set of SSL protocols defined

(SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshake error

• Confirm that the backend certificate matches the certificate authority that is provided.

• Ensure that all certificates in the chain are provided in the correct order in the Certificate field.

• Ensure that you provide the correct certificate depth.

Peer backend_ip_address closed connection in SSL handshake

• The client fails with a 502 Bad Gateway error.

• The client experiences SSL handshake failures in Oracle Cloud Infrastructure metrics (see Load Balancer Metrics).

• The backend is not configured to accept SSL.

• The backend certificate is invalid.

• Confirm that the backend certificate matches the certificate authority that is provided.

• Ensure that all certificates in the chain are provided in the correct order in the Certificate field.

• Ensure that you provide the correct certificate depth.

• The client certificate is invalid.

• The client certificate is not trusted.

• Invalid peer certification verify depth.

• Ensure that the client certificate is valid.

• Remove Peer Cert Verify feature on the listener.

Client backend_ip_address sent no required SSL certificate

• The client experiences a 400 Response error.

• no required SSL certificate appears in error logs.

• Update the client to send the correct client certificate.

• Remove Peer Cert Verify feature on the listener.

• Adjust the certificate verification depth.

"code":"EPROTO","errno":"EPROTO"

SSL host name verification failed for host_name

• The client fails with a 502 Bad Gateway error.

• Error message contains SSL host name verification failed.

• Configure client to use the expected host name.

• Configure certificate to match the host name sent by the client.

• The client fails with a 502 Bad Gateway error.

• The backend doesn't pass health check.

• forbidden by HTTP ACL rule appears in the error log.

• The client fails with a 502 Bad Gateway error.

• The client experiences SSL handshake failures in Oracle Cloud Infrastructure metrics (see Load Balancer Metrics).

• Configure client timeout to match expected application configuration.

• Determine why the backend server didn't respond in the configured amount of time.

• The client fails with a 502 Bad Gateway error.

• The client reports IO error in load balancer metrics.

• The backend server set uses HTTPS and the cipher suites or TLS versions aren't compatible.