Symptoms
Assume that you are using Microsoft SQL Server 2012, 2014 or 2016. When you backup a database to Microsoft Azure Blob storage service URL, the operation may fail and you will receive the following error messages both at the client side and in the SQL Server error log.
SQL Server client error
Msg 3271, Level 16, State 1, Line LineNumber
A nonrecoverable I/O error occurred on file "https://<BlobStorageServerName>.blob.core.windows.net/sqlbackup/<DB_Backup_Name.bak>" Backup to URL received an exception from the remote endpoint. Exception Message: The underlying connection was closed: An unexpected error occurred on a receive. Msg 3013, Level 16, State 1, Line LineNumber BACKUP DATABASE is terminating abnormally.SQL Server error log
<DateTime> ======== BackupToUrl Initiated =========
<DateTime> Inputs: Backup = True, PageBlob= True, URI = https://<BlobStorageServerName>.blob.core.windows.net/sqlbackup/<DB_Backup_Name.bak>, Acct= lbtesting2096, Key= KeyValue, FORMAT= False, Instance Name = MSSQLSERVER, DBName = <DB_Name> LogPath = C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log
<DateTime> Process Id: 3668
<DateTime> Time for Initialization = 202.7451 ms
<DateTime> BackupToUrl Client is getting configuration from SqlServr
<DateTime> Time for Handshake and VDI config = 31.2507 ms
<DateTime> Time for Get BlobRef = 15.6263 ms
<DateTime> Time for - EXCEPTION Get Fetchattributes = 45364.4979 ms
<DateTime> An exception occurred during communication with Azure Storage, exception information follows
<DateTime> Exception Info: The underlying connection was closed: An unexpected error occurred on a receive.
<DateTime> Stack: at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](StorageCommandBase`1 cmd, IRetryPolicy policy, OperationContext operationContext)
at BackupToUrl.Program.MainInternal(String[] args)
<DateTime> The Active queue had 1 requests until we got a clear error.
This error occurs if your client server enabled Transport Layer Security (TLS) protocol version 1.2 with the following registry.
Registry Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Value 0 Name: Enabled Type: REG_DWORD Data: 0x1Resolution
This issue is fixed in the following cumulative updates for SQL Server 2014 and 2016:
Cumulative Update 7 for SQL Server 2016 RTM
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:
Workaround for SQL Server 2012
This issue happens if the installed .Net Framework has a preference for TLS 1.0 although it supports TLS 1.2.
There is no fix available for SQL Server 2012. To workaround this issue for SQL Server 2012 to enable strong cryptography, you can do the following:
-
Backup the registry
-
Open Registry Editor, and navigate to the following registry subkeys: HKLM\software\Wow6432Node\Microsoft.NETFramework\ and HKLM\software\microsoft.NETFramework\
-
Under each of these keys, subkeys the version numbers (like v4.5, v4.5.1) exists. Add a DWORD value named SchUseStrongCrypto with value 1 for each version.
-
Under HKLM\Software\Microsoft.NetFramework, key names do not have to be exactly 4.5 or 4.5.1. Mostly they will start from v2.0XXX, v3.0XXX and v4.0XXX. DWORD value named 'SchUseStrongCrypto' with value 1 should be added for all versions available.
-
Reboot the SQL Server machine.
Note: You can also try to install .Net Framework 4.8. By default, .NET Framework 4.7 and later versions are configured to use TLS 1.2 and allow connections using TLS 1.1 or TLS 1.0.
References
Learn about the terminologythat Microsoft uses to describe software updates.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.