ServiceNow was informed that an external network issue in China blocked in-region users from connecting to ServiceNow instances.
Based on our connectivity tests, we believe that access from China to all instances has now been restored without intervention by ServiceNow. However, please reach out to ServiceNow Customer Support if you are still experiencing region-specific connectivity issues or have concerns related to this event.
ServiceNow will continue to investigate the root cause.
Users in China cannot access the ServiceNow instances while users outside of China can access the instance without issue. When the affected users try to access the ServiceNow instance, they can see the following error messages on the browser:
"Can't connect securely to this page. This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner."
"This site can't be reached. The connection was reset"
"This page cannot be displayed"
Steps to identify and validate if impacted by the known issue
Please involve your Network Team to perform the following:
- Please have the affected locations run a ping and a traceroute to the SN Instance:
- ping instance_name.service-now.com
- traceroute instance_name.service-now.com
- The results of the above tests should look "normal" and prove that the affected location can connect to the instance from a network perspective.
- If Step 2 above is confirmed, please run the following:
- Initiate traffic towards the instance by opening the instance URL on the browser and/or running a ping and traceroute towards the instance "instance_name.service-now.com"
- While initiating that traffic run a packet capture from the locations where the TCP session originates
- This issue can be confirmed by checking for two scenarios:
- How the TCP sessions are closed. The impacted sessions will show the TCP 3-way handshake being performed normally but, after the client sends its SSL Client Hello packet, the session will be brought down via either TCP RST packet or TCP FIN packet. This means the session is being terminated from the local ISP or within the country. NOTE: Troubleshooting has found sessions being closed via TCP RSTs, do not originate from ServiceNow or the client. This suggests the connection is getting closed by a third party.
- Sessions requesting to use older ciphers, such as SSLv3, which are not allowed by ServiceNow or the larger internet community. Requests for these older ciphers originate from the local ISP or within the country.
If the steps from 1 to 4 are verified, then you are most likely impacted by the known issue.
If you are impacted by this issue described in 4a or 4b, ServiceNow recommends that you contact your in-country ISP, present the data collected, and ask they resolve the issue. If the issue is not with the ISP, please request they work with their in-country partner(s) who are implementing 4a or 4b.