We are using Istio TLS Origination with MUTUAL TLS to authenticate to an external Service (an API Gateway). We have the following configuration:
- A ServiceEntry iwth MESH_EXTERNAL for the API Gateway port 443
- A DestinationRule with portSettings on 443, configuring tls mode as MUTUAL, providing the client private key and cert (we are not validating the server at this time) for the TLS MUTUAL Origination
- A Virtual Service that gets connections to the API Gateway Path on port 80 and redirect it to port 443, using the DestinationRule subset.
Everything works fine. But if we have no requests to that external service in 10 minutes, the next request raises a 403 Forbidden from the API Gateway Service. We’ve made a bot that keeps sending requests without interruption and we never get this 403.
It seems the service keeps some kind of state for the connection and we’re suspecting the envoy tries to reuse the connection (if e restart the istio-proxy it starts to work again).
Is there a way to force Istio/Envoy to always open a new connection and perform the handshake again, without any state information? Do you guys see a way to troubleshoot this? We’ve enabled access logs and got Istio Flags, but nothing helpful came from this.
Thanks a lot!