Upstream connect error or disconnect/reset before headers

omerfsen · September 3, 2020, 6:55pm

Hi,

I am using AWS EKS 1.17 and ISTIO 1.6.5 (I also verified same error with istio 1.6.8). I also got same error with KIND cluster on my laptop ( Kubernetes 1.17 )

So after deployment my service works fine and after some time i get

upstream connect error or disconnect/reset before headers

errors. What I have realized that from a working state to non-working state (also vice versa ) I get this log lines:

2020-09-03T16:37:47.226983Z     warning envoy config    [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamAggregatedResources gRPC config stream closed: 13,
2020-09-03T16:37:47.289783Z     warning envoy filter    [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.291518Z     warning envoy filter    [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.298553Z     warning envoy filter    [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.302983Z     warning envoy filter    [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/

The service becomes UNAVAILABLE for EXACTLY 30 minutes after i see above lines and becomes available again AFTER I see this error (So 30 min EXACTLY down time)

Any comment about this? I saw this on different Istio versions but it never got resolved fully (so even 1.6.8/1.6.5 has it)

omerfsen · September 3, 2020, 6:56pm

https://github.com/istio/istio/issues/19321 for example

Topic		Replies	Views
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED	1	9636	January 6, 2023
Upstream connect error or disconnect/reset before headers. reset reason: connection termination for STRICT Peer Authentication Security security	5	12392	November 7, 2022
Problem using nifi with istio Networking	0	1041	February 10, 2022
ISTIO External Authorization : getting error '503 upstream connect error or disconnect/reset before headers. reset reason: connection terminationroot' when access over HTTPS	4	4220	January 20, 2023
Connection returns TLS error after running for few days Networking	3	3749	September 7, 2021

Upstream connect error or disconnect/reset before headers

Related Topics