Intermittent timeouts connecting to Salesforce from DFW region

mintotsai · September 26, 2025, 8:02pm

Hi Fly team,

My Rails app is intermittently failing to connect to Salesforce (login.salesforce.com) from Fly. The errors are:

Faraday::ConnectionFailed (Failed to open TCP connection to login.salesforce.com:443 (execution expired))
Net::OpenTimeout

What I’ve tested:

From Fly machines in DFW and ORD:
- curl -4 https://login.salesforce.com/services/oauth2/token → works reliably.
- curl -6 https://login.salesforce.com/services/oauth2/token → hangs or times out every time.
From my laptop outside Fly, both IPv4 and IPv6 succeed.
In Rails, Net::HTTP tries IPv6 first, so the failed IPv6 route results in TCP timeouts.
The app seemed to be working fine yesterday, but today both staging and production are unreliable

This is impacting both staging and production — sometimes it works, sometimes it fails

Is there a known IPv6 routing issue between Fly and Salesforce? And is there a recommended way to force IPv4 connections from Fly machines until this is resolved?

Thanks!

from my previous post on another topic: We made DNS lookups from within Machines more reliable - #9 by mintotsai

PeterCxy · September 26, 2025, 8:09pm

I’m not sure why this works for you, but it does not look like this domain has an IPv6 address associated at all?

[peter@frmwk ~]$ dig AAAA login.salesforce.com

; <<>> DiG 9.20.13 <<>> AAAA login.salesforce.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56854
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;login.salesforce.com.		IN	AAAA

;; ANSWER SECTION:
login.salesforce.com.	300	IN	CNAME	login.l2.salesforce.com.

;; AUTHORITY SECTION:
l2.salesforce.com.	600	IN	SOA	dns01.salesforce.com. hostmaster.salesforce.com. 2017112510 600 900 2592000 600

;; Query time: 56 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Sep 26 16:08:24 EDT 2025
;; MSG SIZE  rcvd: 125

[peter@frmwk ~]$ dig AAAA login.l2.salesforce.com

; <<>> DiG 9.20.13 <<>> AAAA login.l2.salesforce.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39712
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;login.l2.salesforce.com.	IN	AAAA

;; AUTHORITY SECTION:
l2.salesforce.com.	593	IN	SOA	dns01.salesforce.com. hostmaster.salesforce.com. 2017112510 600 900 2592000 600

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Sep 26 16:08:31 EDT 2025
;; MSG SIZE  rcvd: 105

So IPv6 should not work with this domain, period, and nothing should even attempt to use IPv6 with it since there’s no address to connect to. You don’t need to force IPv4 connections because there is no IPv6 to speak of.

mintotsai · September 26, 2025, 10:42pm

Thanks for the reply.

After more digging, removing “resolv-replace” in rails seems to fix the timeout issue.

system · October 3, 2025, 10:42pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.