Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Debug and troubleshoot Azure Container Apps and Function Apps using logs, KQL, and health checks.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/app-service/README.md
1# App Service Troubleshooting2## Common Issues Matrix4| Symptom | Likely Cause | Action |6|---------|--------------|-----------|7| High CPU / memory | Runaway process, inefficient code | Use Process Explorer via Kudu, scale up |8| Deployment failure | Build error, locked files, quota | Check Kudu logs at `https://APP.scm.azurewebsites.net/api/deployments` to look for details on build errors, locked files or lack of storage quota |9| App crash / restart | Unhandled exception, OOM kill | Review Event Log and STDERR in Diagnose & Solve |10| Slow responses | Downstream dependency, no caching | Enable request tracing, check dependency calls |11| 502 / 503 errors | App not starting, port conflict | Check STDERR logs, verify startup command |12| TLS / domain errors | Certificate expired, DNS mismatch | `az webapp config ssl list`, verify CNAME |13| Health check failure | Endpoint not returning 200 | Verify health check path responds within 2 min |14---16## High CPU / Memory Diagnosis18**Diagnose:**20```bash21# Check app metrics22az monitor metrics list --resource APP_RESOURCE_ID \23--metric "CpuPercentage,MemoryPercentage" --interval PT1M --output table24# View running processes via ARM Processes API (Entra ID auth)26az rest --method get \27--uri "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<app-name>/processes?api-version=2024-04-01"28```29**Fix:** Scale up (`az appservice plan update -n <app-service-plan-name> -g <resource-group> --sku P1V3`) or profile the app via Kudu Process Explorer at `https://APP.scm.azurewebsites.net/ProcessExplorer/` to identify hot paths.31---33## Deployment Failure Analysis35**Diagnose:**37```bash38# List deployment history39az webapp deployment list -n APP -g RG --output table40# View deployment log for a specific deployment42az webapp log deployment show -n APP -g RG --deployment-id DEPLOY_ID43# Stream build logs from Kudu45az webapp log tail -n APP -g RG46```47**KQL โ Failed deployments:**49```kql50// Replace <app-service-resource-id> with the full resource ID, for example:51// /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<app-name>52AppServicePlatformLogs53| where TimeGenerated > ago(24h)54| where Level == "Error" and _ResourceId == "<app-service-resource-id>"55| project TimeGenerated, Level, Message56| order by TimeGenerated desc57```58**Common deployment failures:**60| Error Message | Cause | Fix |62|---------------|-------|-----|63| `WEBSITE_RUN_FROM_PACKAGE=1` but no package | Missing zip deploy artifact | Redeploy with `az webapp deploy --src-path app.zip` |64| `Error building on server` | Oryx build failure | Check build logs, pin runtime version |65| `Locked file` during deploy | Files in use | Set an environment variable named `MSDEPLOY_RENAME_LOCKED_FILES=1` on the App Service resource to enable MSDeploy to rename locked files. |66---68## Application Crash / Restart Diagnosis70**Diagnose:**72```bash73# Check recent restarts via activity log74az monitor activity-log list -g RG --resource-id APP_RESOURCE_ID \75--max-events 10 --query "[?operationName.value=='Microsoft.Web/sites/restart/action']"76# View STDERR/STDOUT (Linux)78az webapp log download -n APP -g RG --log-file logs.zip79```80**KQL โ App crashes and errors:**82```kql83AppServiceConsoleLogs84| where TimeGenerated > ago(1h)85| where ResultDescription contains "error" or ResultDescription contains "fatal"86| project TimeGenerated, ResultDescription87| order by TimeGenerated desc88| take 5089```90**Health check failures:**92```bash93# Show health check config94az webapp show -n APP -g RG --query "siteConfig.healthCheckPath"95# Test the endpoint directly97curl -s -o /dev/null -w "%{http_code}" https://APP.azurewebsites.net/health98```99> โ ๏ธ **Warning:** If the health check fails on >50% of instances for 1 hour, the instance is replaced.101---103## Slow Response Time Investigation105**Diagnose:**107```bash108# Check average response time109az monitor metrics list --resource APP_RESOURCE_ID \110--metric "HttpResponseTime" --interval PT5M --aggregation Average --output table111# Enable failed request tracing113az webapp log config -n APP -g RG --failed-request-tracing true114```115**KQL โ Slow requests with dependency analysis:**117```kql118AppServiceHTTPLogs119| where TimeGenerated > ago(1h)120| where TimeTaken > 5000121| project TimeGenerated, CsUriStem, ScStatus, TimeTaken, CsHost122| order by TimeTaken desc123| take 20124```125**Auto-Heal โ Automatic mitigation:**127```bash128# Configure auto-heal to recycle on slow requests129az webapp config set -n APP -g RG \130--auto-heal-enabled true \131--generic-configurations '{"autoHealRules":{"triggers":{"slowRequests":{"timeTaken":"00:00:30","count":10,"timeInterval":"00:02:00"}},"actions":{"actionType":"Recycle"}}}'132```133---135## Custom Domain / TLS Certificate Issues137**Diagnose:**139```bash140# List custom domains141az webapp config hostname list -g RG --webapp-name APP --output table142# List TLS certificates144az webapp config ssl list -g RG --output table145# Check SSL binding147az webapp config ssl show --certificate-name CERT -g RG148```149| Symptom | Cause | Fix |151|---------|-------|-----|152| `ERR_CERT_DATE_INVALID` | Certificate expired | If certificate came from an external certificate authority, renew with `az webapp config ssl upload` and upload a new certificate or enable managed certificates to allow Azure to provide a free TLS/SSL certificate |153| `DNS_PROBE_FINISHED_NXDOMAIN` | CNAME not configured | Add CNAME record pointing to `APP.azurewebsites.net` |154| `SSL binding not found` | Missing SNI binding | Add the missing SNI binding using `az webapp config ssl bind --certificate-thumbprint THUMB --ssl-type SNI -n APP -g RG` |155| Managed cert pending | DNS validation incomplete | Verify TXT record `asuid.DOMAIN` matches custom domain verification ID |156---158## AZ CLI or MCP Tools for App Service Diagnostics160| Tool | Command | Use When |162|----------|---------|----------|163| `Azure CLI` | `az webapp list` | List all web apps in subscription |164| `Azure CLI` | `az webapp show -n APP -g RG` | Get app config, stack, status |165| `Azure CLI` | `az webapp config appsettings list -n APP -g RG` | Check env vars and connection strings |166| `Azure CLI` | `az webapp deployment slot list -n APP -g RG` | Compare slot configurations |167| `mcp_azure_mcp_appservice` | `appservice_webapp_diagnostic_diagnose` | AI-powered root cause analysis |168| `mcp_azure_mcp_monitor` | `monitor_resource_log_query` | Run KQL against Log Analytics |169| `mcp_azure_mcp_resourcehealth` | `get` | Check platform-level health status |170> ๐ก **Tip:** Start with `mcp_azure_mcp_appservice` (`diagnose`) โ it automatically runs relevant detectors and surfaces the most likely root cause before you dig into logs manually.172---174## Combined Diagnostic Script176```bash178echo "=== App Service Diagnostics ===" && \179echo "App Config:" && az webapp show -n APP -g RG --query "{state:state, runtime:siteConfig.linuxFxVersion, healthCheck:siteConfig.healthCheckPath, alwaysOn:siteConfig.alwaysOn}" -o table && \180echo "Recent Deployments:" && az webapp deployment list -n APP -g RG --query "[:3].{id:id, status:status, time:end_time}" -o table && \181echo "App Settings:" && az webapp config appsettings list -n APP -g RG --query "[].name" -o tsv && \182echo "Custom Domains:" && az webapp config hostname list -g RG --webapp-name APP -o table183```184