Error 504 Gateway Timeout

Signs and Symptoms:

  1. Your website is behind Cloudguard’s cloud protection, but instead of site content, a Gateway Timeout error is received.
  2. Your website is behind Cloudguard’s cloud protection, but the displayed content is old and the word STALE can be seen in the CG-Cache-Status header, and it does not change after refreshing and passing time.

Recommended quick solution:

  1. Verify the connection between your web server (origin) and CloudGuard. It’s possible that the connection between the two data centers is disrupted.
  2. Check your firewall and IPS equipment. Trust the CloudGuard address range and refrain from applying any protection, particularly anti-DDoS measures or connection limitations.
  3. Check your equipments logs and firewall settings to confirm that CloudGuard addresses are not blocked.

The root cause of the problem:

To put it briefly, the problem is attributed to CloudGuard’s CDN server being unable to retrieve information from the origin server, and its timeout. Several factors may contribute to this problem:

  1. The primary cause for this problem is often the presence of a security device, typically located in the client’s origin server data center, detecting the connection as unusual and subsequently blocking it.
    • Security equipments such as firewalls and UTMs is equipped with features to counteract DOS and DDOS attacks, which may result in blocking a high number of requests from the same address.
    • The problem arises because, as your site is behind the CDN, all user requests that previously reached the origin server from their individual IP addresses, now converge and reach the origin server from a single IP address (CDN address). The origin server’s equipment detects this concentration of connections from a single IP as unusual and proceeds to block them.
    • In another scenario, a WAF, IPS, or similar intelligent system located in the customer’s origin server data center detects the signature of an attack within the incoming traffic. As these mechanisms are typically sensitive to the source IP of the attack, upon identifying an attack, they block the entire IP. This results in the blocking of the CDN address and a complete down of the website.
    • To solve this problem, consider these solutions; Reading Logs of the equipments involved (firewalls, WAF, IPS) and check their settings, especially those related to Cloud Guard and trust Cloud Guard addresses.
  2. Incorrect connection Settings with the Origin Server
    • Specify the correct port (80 or 443) for connection between the CloudGuard CDN server and your origin server.
    • If your origin server responds only to HTTP (port 80) or HTTPS (port 443) requests, it is possible that this setting in the CloudGuard panel is configured incorrectly.
    • In the CloudGuard panel, in HTTPS section, these settings can be configured in three modes: HTTP/HTTPS/Both (automatic),
  3. This incident may also be attributed to communication issues between CDN data centers and the origin server.
    • While occurrences of such cases are infrequent, it is advisable to check them.
    • To check this matter, you have the option to ping Cloudguard addresses from your data center.
    • If the changes in your data center are significant and require further checks, it is advisable to register a ticket with Cloudguard for a thorough review of the matter.

  0 people found this article useful