IoT Device fails to Connect to Azure App Service API since 31/03/2025

Alexandre WAMBRE 10

Hello,

Since 31/03/2025, after a Microsoft maintenance, all my IoT Device (4G) are not able to call my Azure App Service API.

The service is up and works well when i try with postman.

Is it an issue from Azure server?

Regards,

Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-03T11:13:34.0633333+00:00

Hello @Alexandre WAMBRE, could you please provide more details on why the IoT devices are failing to connect to the Azure App Service? Additionally, please share what steps you have taken, the code used, and the Git link to your code.
Alexandre WAMBRE 10 Points de réputation

2025-04-03T11:40:40.6066667+00:00

The IoT device failed with "socket closed" error. We are using a Quectel module with 4G network

Other people have the same issue here :
https://stackoverflow.com/questions/79549964/iot-device-fails-to-connect-to-azure-app-service-api-after-scheduled-maintenance
DJ 50 Points de réputation

2025-04-03T15:38:31.9933333+00:00

@Sampath

It seems like there is due to a maintenance update due it has changed something to do with HTTPS and Security
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-03T16:24:57.0733333+00:00

@DJ you are facing the same issue
DJ 50 Points de réputation

2025-04-03T16:43:24.2333333+00:00

@Sampath

Yes.
DJ 50 Points de réputation

2025-04-03T16:55:52.92+00:00

@Sampath

Any idea whats the cause?
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-04T03:38:09.2366667+00:00

@DJ please share your Q@a question link
DJ 50 Points de réputation

2025-04-04T04:09:03.3133333+00:00

@sampth https://free.blessedness.top/en-us/answers/questions/2242806/can-not-access-api-via-device
DJ 50 Points de réputation

2025-04-04T05:22:11.8633333+00:00

Has there been any changes to security on this update @Sampath
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-04T08:13:16.1666667+00:00

@DJ I see LeelaRajeshSayana connected with you, and he will update you on that case. Regarding the above case, I will connect with Alexandre WAMBRE
DJ 50 Points de réputation

2025-04-05T12:20:51.83+00:00

@Sampath

I have managed to get a work around, but i think there is a security flow in TLS1.3, that make all app service at risk, as you can bypass TLS1.3 with 1.2

I have send PM to **LeelaRajeshSayana **with more information
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-07T11:01:59.39+00:00

Hello @Alexandre WAMBRE , the same issue was resolved in west Europe.

Could you please check the status history? https://azure.status.microsoft/en-us/status/history/

and Azure status overview https://free.blessedness.top/en-us/azure/service-health/azure-status-overview
DJ 50 Points de réputation

2025-04-07T11:28:12.3766667+00:00

@Sampath

Those links are producing errors. Can you please check them?

Has this issue been solved, as our device is still failing to connect?
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-07T11:36:10.9+00:00

@DJ updated the link , Please try again in that west Europe . Let know the updates.
DJ 50 Points de réputation

2025-04-07T11:36:46.43+00:00

@Sampath

I have managed to correct the links you sent and open the pages. There is nothing that mentions the issue has been resolved after the 31st of March
Sampath 3,875 Points de réputation Personnel externe Microsoft Modérateur

2025-04-07T11:46:47.91+00:00

@DJ What status are you seeing? Have you tried checking with App Service in West Europe in azure portal ?
DJ 50 Points de réputation

2025-04-07T11:54:10.71+00:00

@Sampath,
The links provided do not show anything after 18th March.

My Device is still failing to connect to my API
DJ 50 Points de réputation

2025-04-07T11:56:38.8966667+00:00

@sampth Has this issue been made aware to the producer developers who are responsible?
DJ 50 Points de réputation

2025-04-08T13:48:41.84+00:00

@sampth Can some who oversees TLS operations help in this case?

12 réponses

Alexandre WAMBRE 10 Points de réputation

2025-04-07T08:50:44.82+00:00

Hi,

After a lot of tests, we managed to reach the App Service by changing two settings on the Quectel module.

We forced TLS to version 1.2 :

AT+QSSLCFG="sslversion",1,3

and set the cipher suite to "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":

AT+QSSLCFG="ciphersuite",1,0xC02F

It's like Azure was not compatible with all ciphers configured in the appService.

Strangely, a POST request was somehow transformed into a GET request.
Connectez-vous pour noter cette réponse.
DJ 50 Points de réputation

2025-04-07T09:03:48.6933333+00:00

@Alexandre WAMBRE
We can do this in our units in our office, but the devices in field are not reachable due to the security lapse.

DJ 50 Points de réputation

2025-04-07T09:14:01.7133333+00:00

@Alexandre WAMBRE

I have also seen that if you send the minimum TLS on your server to 1.3, the modem will still be able to connect to it, when using SSLVersion set to 3.

Alexandre WAMBRE 10 Points de réputation

2025-04-08T07:01:31.7966667+00:00

Minimum TLS version is set to 1.2 on our server.

according to the doc, SSL Version 3 is 1.2 on quectel module

DJ 50 Points de réputation

2025-04-08T07:21:58.7333333+00:00

@Alexandre WAMBRE

Our devices are all set to SSL version 4, enabling all TLSversion, and we are keeping minium TLS on our server to 1.0, trying to keep open all combination.

This being our core API, we are now stuck till some changes are made in the background.

We can get our device to work in the office and also by changing to HTTP, but this does not really help the device in the field.

Can anyone confirm Microsoft are looking into this issue?

CsarAubin-0431 0 Points de réputation

2025-04-10T06:33:51.8533333+00:00

We also have the same problem with IoT devices and SIMcom modem. Forcing only TLS 1.2 made the connection working again. Previously we had enabled all TLS/SSL version on the modem (SSL3, TLS1.0, TLS, 1.1 and TLS 1.2) and this modem is not compatible with TLS 1.3.

We are working with Microsoft support but so far we do not have the cause or solutions of the initial problem. Do you have any new information on your side?
Se connecter pour commenter

Utilisez des commentaires pour demander des éclaircissements, des informations supplémentaires ou des améliorations à la question.
Deleted

Cette réponse a été supprimée en raison d’une violation de notre Code de conduite. La réponse a été signalée manuellement ou identifiée via la détection automatisée avant que l’action ne soit entreprise. Pour obtenir plus d’informations, veuillez consulter notre Code de conduite.

Les commentaires ont été désactivés. En savoir plus
Alexandre WAMBRE 10 Points de réputation

2025-04-07T12:42:24.1366667+00:00

I discovered something else:
On postman, if I deactivate TLS1.3 it's working fine. But if I also add some cipher suite restriction, it's not.

This configuration works well:

but this configuration is not working:

And my app service is compatible with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Connectez-vous pour noter cette réponse.
DJ 50 Points de réputation

2025-04-07T12:50:30.1233333+00:00

@Alexandre WAMBRE

On our device, we have all the cipher suites enabled. Including TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

So is the aim to limit the device and API to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256?

DJ 50 Points de réputation

2025-04-08T04:46:42.9633333+00:00

Is it possible to deactivate TLS 1.3 from our App service for a short time?

DJ 50 Points de réputation

2025-04-08T04:50:32.9533333+00:00

Any further update to solving this on server side?
Se connecter pour commenter

Utilisez des commentaires pour demander des éclaircissements, des informations supplémentaires ou des améliorations à la question.
Alexandre WAMBRE 10 Points de réputation

2025-04-08T12:13:48.6466667+00:00

Hi,

I have run a test on ssllabs.com

The result shows that my server is compatible with TL1.2 but with an experimental server negociation (No-SNI). I beleave that my Quectel module is not compatible with No-SNI.

I also have tested the public API that works with our devices and the result shows that TLS 1.2 is supported without exprimental negociation.

Can you please remove this experimental negociation on TLS1.2 or show me where can i configure it.
Connectez-vous pour noter cette réponse.
Alexandre WAMBRE 10 Points de réputation

2025-04-08T12:17:07.04+00:00

is the problem linked to this?
https://devblogs.microsoft.com/devops/sni-mandatory-for-azdo-services/

DJ 50 Points de réputation

2025-04-08T12:35:57.68+00:00

@Alexandre WAMBRE

I have spoken to Quectel, they are also facing the same issue. They mentioned that when the TLS handshake starts, the module sends a message to the server with a list of all TLS available, but the server does not reply with a selection, so the issue results in a handshake failure.

Also, if I am correct, the article you pasted does not mention it would be applied to App Services.

DJ 50 Points de réputation

2025-04-08T12:43:12.49+00:00

@Alexandre WAMBRE

I tried calling from the device, and it seems to be working with this link. SO this is not SNI issue

https://status.dev.azure.com/
Se connecter pour commenter

Utilisez des commentaires pour demander des éclaircissements, des informations supplémentaires ou des améliorations à la question.
Alexandre WAMBRE 10 Points de réputation

2025-04-15T07:42:54.9266667+00:00

Hi,

Any news on this subject? We have made a workaround during the resolution using a reverse proxy. Please keep us informed about it.
Connectez-vous pour noter cette réponse.

0 commentaires Aucun commentaire
Se connecter pour commenter

Utilisez des commentaires pour demander des éclaircissements, des informations supplémentaires ou des améliorations à la question.

Partager via

IoT Device fails to Connect to Azure App Service API since 31/03/2025

12 réponses

Votre réponse