Ingress gateway pods takes ages to forward traffic after upgrading to v1.1.x



Just curious if anyone else has experienced this as well.

I was upgrading Istio from 1.0.6 to 1.1.6 following the instructions here.

Upgrade was pretty smooth but once the ingressgateway pods got rotated, ingress traffic now takes more than 10 seconds to get a response from the cluster and it seems like it gets stuck on the ingressgateway pods for most of the time (regardless it’s TLS or not).

This is how it looks like when I curl it.

❯ curl -v
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

I’ve tried tweaking the values on Helm with no success and looking at the logs for each component is not very helpful since I’m unclear what anomalies I should be searching for.

I’ve tried downgrading Istio back to 1.0.x and response time from the cluster will be back to normal so I can confirm that something is going on in 1.1.x but I don’t know how to track it down.
It’ll be great if someone can point me at the right direction.



Issue created here.

Would be great to get some other inputs if someone else also encountered this.