
I have a simple health check system that sends a simple HTTP GET request to an internal URL, which is an MVC web app that requires authentication. For example, if you send a get request to https://{{IPAddress}}/MyMvcApp, the app would redirect you to https://{{LB Host}}/MyMvcAppAuth.

private static void UsingHttpGetRequest(string uri, Action<HttpWebResponse> action)
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);
    request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;

    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback
        delegate { return true; }

    Log("Sending the HTTP Get request...");
    using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
        Log($"Got a response! Status: {response.StatusCode}");

I have two servers in my farm. When this code runs on one of the servers, it works fine, but the other one has this problem:

Exception: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

  • I have Compared IIS configuration settings between the servers and found no significant difference.
  • I have compared the registry keys and discovered that both servers don't have the registry key "SchUseStrongCrypto", but TLS 1.2 is definitely enabled on both servers.
  • Verifed that both have .NET v4.0.30319 installed.

The more I think about this, the more I reach the conclusion that the F5 load balancer is rejecting the 302 redirect from a request that was originated in one of the servers in the farm. What do you guys think? Potential firewall/misconfiguration issue on the load balancer that rejects these requests?

Have you tried turning on TLS 1.2 on the remove server? do you have access to it?Andy
@Andy Yes. I know for a fact that TLS 1.2 is enabled on my servers because when I send the same HTTP request to an MVC app that doesn't do a 302 redirect, it works just fine. I also verified that TLS 1.2 is enabled in the registry.Vin Shahrdar

This turned out to be a DNS issue. The some of the server hosts in the files were not included in the hosts file of the load balancer. Finally fixed!