Skip to main content

Why System.CalloutException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 503 Service Unavailable” occur

When we make authenticated web service callout from Salesforce, the call sometimes fails with this error "Unable to tunnel through proxy. Proxy returns “HTTP/1.1 503 Service Unavailable". The error usually comes when the Firewall at the external system blocks the calls made from Salesforce. So The request never reach the web-service hosted at the external server and get the response back.

Below are few of the reasons that could cause this issue.

  • Check if your firewall is configured to allow the traffic from Salesforce. Whitelist Salesforce IP ranges in your firewall. . Here is the document from Salesforce regarding Whitelisting Salesforce IPs

  • Could be a certificate issue. 
    • The certificate might be an expired one.
    • The certificate chain should be valid in correct order and trusted by Salesforce. The order of certificate should be Server certificate --> Intermediate certificate that signed the server's certificate --> Next Intermediate certificate and so on till the one before root certificate. The root certificate should be the one trusted by Salesforce.  To review a current list of supported CA certificates, you can append /cacerts.jsp to any instance URL. - https://INSTANCE.salesforce.com/cacerts.jspWe can check the certificate issue using SSL checker or OpenSSL tools. With OpenSSL installed, Run the following command to test your server, replacing www.google.com:443 with your server's hostname and port. This command shows all the certificates returned during SSL handshake.

                    openssl s_client -connect www.google.com:443 -showcerts

    • If you are using 2 way SSL,  Salesforce can present either self signed or CA signed certificate during the call. Make sure that this certificate is added in the callout and installed in external server.

  • Issue with incorrect DNS configuration. One such scenario was DNS server returning NXDOMAIN response for AAAA queries, Instead of NODATA even though the domain had A record.


Let me know if you know any other reasons which can cause the issue. Thank you for your time in checking this article.

Cheers :)
Labels:

Comments

Post a Comment