'The specified URL cannot be found' - it can, but your Barracuda WAF doesn't want it to be
If you're seeing the following symptoms:
- Your're seeing customers saying they're getting 'stuck' at a certain point in your application
- There's nothing in your IIS (or web server of choice) to indicate that the request you expect to see is occuring
- There's nothing in your application logging
- The request in question involves JSON being sent to the server
Your application could be having a request blocked by a Barracuda Web Application Firewall (WAF) because one of the values in the JSON being passed to the server is too long. In the reproduction case you'll see a JSON response that looks like this:
HTTP/1.1 404 Not Found Connection: Close Content-Type: application/json { "Log-Id" : "16939ddf3bf-ab5df29b", "Request Time" : "2019-03-01 15:27:21 GMT", "Error" : "The specified URL cannot be found " }
This is because by default the length of a JSON value is limited by the Barracuda WAF (I think it's to around 1,000 bytes - though this may not be the default configuration) and one of the values you're sending exceeds this length. Note: It's not the entire size of the JSON payload, just the size of one of the values. This is partially documented here, as it states the error message The specified URL cannot be found is generated by the WAF. You can confirm that this was the cause by reviewing the logs using the provided Log-Id value.
The solution, if the length of the data is valid, is to create a custom JSON profile that allows longer values for that specific key.
In our case this was caused by Iovation Blackbox Device profiling which, specifically in Internet Explorer, seemed to be generating much longer values than for other browsers which was resulting in the requests being dropped.