Upstream connect error or disconnect reset before headers reset reason remote reset

EDIT

It seems that my first error I describe is very easy to reproduce. Actually, Google Run fails to run any GRPC query on a .NET5 GRPC server it seems (at least, it did work before but as of today, February 21st, it seems that something changed). To reproduce:

1. Create a .NET5 GRPC server (also fails with .NET6):

dotnet new grpc -o TestGrpc

1. Change Program.cs so that it listens on $PORT, typically:

        public static IHostBuilder CreateHostBuilder(string[] args)
        {
            var port = Environment.GetEnvironmentVariable("PORT") ?? "8080";
            var url = string.Concat("http://0.0.0.0:", port);
            return Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup<Startup>().UseUrls(url);
                });
        }

1. A very simple Dockerfile to have an image for the server (fails also with a more standard one, like here):

FROM mcr.microsoft.com/dotnet/sdk:5.0

COPY . ./

RUN dotnet restore ./TestGrpc.csproj
RUN dotnet build ./TestGrpc.csproj -c Release
CMD dotnet run --project ./TestGrpc.csproj

1. Build and push to Google Artifcats Registry.
2. Create a Cloud Run instance with HTTP/2 enabled (Ketrel requires HTTP/2 so we need to set
   HTTP/2 end-to-end, yet I tested without as well but it’s not better).
3. Use Grpcurl for instance and try:

grpcurl {CLOUD_RUN_URL}:443 list

And you will obtain the same error as I got with my (more complex) project:

Failed to list services: rpc error: code = Unavailable desc = upstream connect error or disconnect/reset before headers. reset reason: remote reset

On the Google Cloud Run instance I only have the log:

2022-02-21T16:44:32.528530Z POST 200 1.02 KB 41 ms grpcurl/v1.8.6 grpc-go/1.44.1-dev https://***/grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo

(I don’t really understand why it’s a 200 though… and never seems to reach the actual server implementation, just as if there was some kind of middleware blocking the query to reach the implementation… )

I’m pretty sure this used to worked as I started my project this way (and then changed the protos, the service, etc. ). If anyone has a clue I’d be more than grateful

INITIAL POST (less precise than explanations above but I leave it here if it may give clues)

I have a server running within a Docker (.NET5 GRPC application). This server, when deployed locally works perfectly fine. But recently I have an error when I deploy it on Google Cloud Run: upstream connect error or disconnect/reset before headers. reset reason: remote reset when it was working fine before. I keep on having this error from any client I use, for instance with Curl:

curl -v https://{ENDPOINT}/{Proto-base}/{Method} --http2


*   Trying ***...
* TCP_NODELAY set
* Connected to *** (***) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.a.run.app
*  start date: Feb  7 02:07:06 2022 GMT
*  expire date: May  2 02:07:05 2022 GMT
*  subjectAltName: host "***" matched cert's "*.a.run.app"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5564aad30860)
> GET /{Proto}/{Method} HTTP/2
> Host: ***
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 503 
< content-length: 85
< content-type: text/plain
< date: Mon, 21 Feb 2022 13:51:31 GMT
< server: Google Frontend
< traceparent: 00-5a74487dafb5687961deeb17e0158ca9-5ab63cd23680e7d7-01
< x-cloud-trace-context: 5a74487dafb5687961deeb17e0158ca9/6536478782730069975;o=1
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host *** left intact
upstream connect error or disconnect/reset before headers. reset reason: remote reset

Same happens with Grpcurl:

grpcurl ***:443 list {Proto-base}

Failed to list methods for service "***.Company": rpc error: code = Unavailable desc = upstream connect error or disconnect/reset before headers. reset reason: remote reset

I cannot find much resource on this error as most of the threads I read deal with another type of reset reason (like protocol, or connection, etc.). But I strictly have no idea what remote reset means and what I did wrong.

Looking at the logs in Google Cloud Run, I can see that the server is definitly hit, though I added trace logging in the route which is not triggered, hence it never reaches my code:

2022-02-21T14:44:22.840580Z  POST 200 1.01 KB 1 msgrpc-python/1.44.0 grpc-c/22.0.0 (linux; chttp2) https://***/{Protos-base}/{Method}

(if I reached my code it should print some «Hellos» everywhere which it doesn’t)

Has anyone ever found this?

P.S.: there are many things around about Envoy, but I don’t even use this. I simply have a Cloud Run instance (with HTTP/2 — and I tried without but it fails due to protocol issue).

Here’s what “upstream connect error or disconnect/reset before headers connection failure” means and how to fix it:

If you are an everyday user, and you see this message while browsing the internet, then it simply means that you need to clear your cache and cookies.

If you are a developer and see this message, then you need to check your service routes, destination rules, and/or traffic management with applications.

So if you want to learn all about what this 503 error means exactly and how to fix it, then this article is for you.

Let’s delve deeper into it!

Upstream connect error or disconnect reset before headers reset reason connection failure.

That’s a very specific, yet unclear error message to see.

What is it trying to tell you?

Let’s start with an overview.

This is a 503 error message.

It’s a generic message that actually applies to a lot of different scenarios, and the fix for it will depend on the specific scenario at hand.

In general, this error is telling you that there is a connection error, and that error is linked to routing services and rules. 

That leaves an absolute ton of possibilities, but I’ll take you through the most common sources.

Then, we can talk about troubleshooting and fixing the problem.

That covers the very zoomed-out picture of this error message, but if you’re getting it, then you probably want to get it to go away.

To fix the problem, we have to address the root cause.

That’s the essence of troubleshooting, and it definitely applies here.

There’s a problem when it comes to identifying the cause of this error.

There are basically two instances where you’re going to see this error, and they are completely different.

One place where you’ll run into it is when you’re coding specific functions that relate to network connection management.

I’m going to break down the three most common scenarios that lead to this error in the next few sections.

But, the other common time you see this error is when you’re browsing the internet.

That means that I’m really answering this question for two very different groups of people.

One group is developing or coding networking resources.

The other group is just browsing the internet.

As you might imagine, it’s hard to consolidate all of that into a single, concise answer.

So, I’m going to split this up.

First, I’ll tackle the developer problems.

If you’re just trying to browse the internet and don’t want to get deep into networking and how it works, then skip to the section that is clearly labeled as not for developers and programmers.

That said, if you want to take a peek behind the curtain and learn a little more about networking, I’ll try to keep these explanations as light as possible.

#1 Reconfiguring Service Routes

I mentioned before that this is a 503 error.

One common place you’ll find it is when reconfiguring service routes.

The boiled-down essence here is that it’s easy to mix up service routing and rules such that the system can receive subsets before they are designed.

Naturally, the system doesn’t know what to do in that case, and you get a 503 error.

The key to avoiding this problem with service route reconfiguring is to follow what you might call a “make-before-break” rule.

Essentially, the steps force the system to add the new subset first and then update the virtual services.

#2 Setting Destination Rules

Considering the issue above, it should not come as a surprise that you can trigger 503 errors when setting destination rules.

Most commonly, destination rules are the issue if you see the 503 errors right after a request to a service. 

This issue goes hand in hand with the one above.

The problem is still that the destination rule is creating the issue.

The difference is that this isn’t necessarily a problem with receiving subsets before they have been designed.

Virtually any destination rule error can lead to a 503 message.

Since there are so many ways these rules can break down and so many ways the problems can manifest, I’m going to cheat a little.

If you noticed that the problem correlates with new destination rules, then you can follow this guide.

It breaks down the most common destination rule problems and shows you how to overcome them.

#2 Traffic Management With Applications

The third primary issue is related to conflicts between applications and any proxy sidecar.

In other words, the applications that work with your traffic management rules might not know those rules, and the application can do things that don’t play well with the traffic management system.

That’s pretty vague because, once again, there are a lot of specific possibilities.

The gist is that you’re trying to offload as much error recovery to the applications as you can.

That will minimize these conflicts and resolve most instances of 503 errors.

Considering the detailed problems we just covered, what can you do about the 503 error?

I included some solutions and linked to even more, but if you’re looking for a general guide, then here’s another way to think about the whole thing.

This specific message is telling you that there’s a timing problem between connect errors and disconnect resets.

Somewhere in your system, you have conflicting rules that are trying to do things out of order.

The best way to find the specific area is to focus on rules changes as they relate to traffic management.

Essentially, start with what you touched most recently, and work your way backward from there.

Ok, but What if I’m Not a Developer or Programmer? (3 Steps)

Alright. That was a relatively deep walk-through of connection rules development.

If you’re still with me, that’s great.

We’re going to switch gears and look at this from a simple user perspective.

You don’t need to know any coding to run into this problem, and I’m going to show you how to solve it without any coding either.

It’s actually pretty simple.

#1 The Walmart Bug

But, it still makes more sense when you know more about what went wrong.

So, I’m going to cite one of the most prolific examples of everyday 503 errors.

In 2020, Walmart’s website ran into widespread issues.

Users could browse the site just fine, but when they tried to go to a specific product page to make a purchase, they got the 503 error.

It popped up word for word as I mentioned before: Upstream connect error or disconnect reset before headers reset reason for connection failure.

People were just trying to buy some stuff, and they got hit with this crazy message.

What are you supposed to do with it?

#2 An Easy Fix

Well, the message is actually giving you very specific advice, once you know how to read it.

It’s telling you that your computer and the Walmart servers had a connection failure, and when they tried to automatically fix that connection problem, things broke down.

A quick note: I’m using the famous Walmart bug as an example, but the problems and solutions discussed here will work any time you see this message while browsing the web.

What that means is that there is some piece of information that is tied to your connection to the Walmart site that is messing up the automatic reconnect protocols.

While that might sound a little vague and mysterious, it actually tells us exactly where the problem lies.

The only information that could exist in this space would have to be stored in your browser’s cache.

This is related to your cookies.

Basically, when the error first went wrong, your computer remembered the problem, and so it just kept doing things the wrong way over and over again.

The solution requires you to make your computer forget the bad rule that it’s following.

To do that, you simply need to clear your cache and cookies.

#3 Clearing the Cache

The famous Walmart problem-plagued Chrome users, so I’ll walk you through how to do this on Google Chrome.

If you use a different browser, you can just look up how to clear cache and cookies.

Before we go through the steps, let me explain what is going to happen here.

We’re not deleting anything that is particularly important.

Your internet cache is just storing information related to the websites you visit.

Then, if you go back to that website or reload it, the stored information means that your computer doesn’t actually have to download as much information, and everything can load a little faster and easier.

So, when you delete this cache, it’s going to do a few things.

It’s going to slow down your first visit to any site that no longer has cached files.

But after you visit a site, it will build new cache files, and things will work normally.

This is also going to make your computer forget your sign-in information for any sites that require such.

Sticking with Walmart as an example, if you were signed into the website with your account, then after you clear the cache, you’re going to be automatically signed out again.

Make sure you know your passwords and usernames.

Because of this last issue, some people don’t like to clear their cache.

If you’re worried about that, then you don’t have to clear everything.

Just clear the cache back through the day when the error started.

Ok. With all of that covered, let’s go through the steps: 

• Look for the three dots and click on them (this opens the tools menu).
• Choose “history” from the list.
• Choose the time frame on the right that covers the data you want to clear.
• Click on “Clear browsing data.”
• Look at the checkboxes. You can choose cookies, cached images and files, and browsing history.
• To be sure you resolve the 503 error, clear the cookies and cached files.
• Click on “Clear Data” and you’re done.

Bug description
I upgraded istio from 1.3.6 to 1.4.2 and suddenly getting below error. Are there any changes that I need to make on version 1.4.2 to run previous applications? How can I debug this error to know the actual issue? In the logs there is no info other than error code 503.

upstream connect error or disconnect/reset before headers. reset reason: connection termination

I checked service is up and running with the valid endpoint.

service.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: njb
  labels:
    app: njb
spec:
  selector:
    app: njb
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
  type: ClusterIP

Application istio-proxy logs

{"upstream_local_address":"127.0.0.1:57338","duration":"0","downstream_local_address":"10.2.0.22:8080","upstream_transport_failure_reason":"-","route_name":"-","response_code":"0","user_agent":"-","response_flags":"-","start_time":"2020-01-07T15:27:16.858Z","method":"-","request_id":"-","upstream_host":"127.0.0.1:8080","x_forwarded_for":"-","requested_server_name":"outbound_.8080_._.njb.default.svc.cluster.local","bytes_received":"1026","istio_policy_status":"-","bytes_sent":"47","upstream_cluster":"inbound|8080||njb.default.svc.cluster.local","downstream_remote_address":"10.2.0.27:54704","authority":"-","path":"-","protocol":"-","upstream_service_time":"-"}
{"upstream_local_address":"127.0.0.1:57342","duration":"7","downstream_local_address":"10.2.0.22:8080","upstream_transport_failure_reason":"-","route_name":"-","response_code":"0","user_agent":"-","response_flags":"-","start_time":"2020-01-07T15:27:17.246Z","method":"-","request_id":"-","upstream_host":"127.0.0.1:8080","x_forwarded_for":"-","requested_server_name":"outbound_.8080_._.njb.default.svc.cluster.local","bytes_received":"976","istio_policy_status":"-","bytes_sent":"47","upstream_cluster":"inbound|8080||njb.default.svc.cluster.local","downstream_remote_address":"10.2.0.27:54708","authority":"-","path":"-","protocol":"-","upstream_service_time":"-"}

ingress gateway logs

{"upstream_host":"10.2.0.22:8080","x_forwarded_for":"xx.xx.xx.xx","requested_server_name":"njb.example.com","bytes_received":"0","istio_policy_status":"-","bytes_sent":"95","upstream_cluster":"outbound|8080||njb.default.svc.cluster.local","downstream_remote_address":"xx.xx.xx.xx:55716","authority":"njb.example.com","path":"/favicon.ico","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-","duration":"9","downstream_local_address":"10.2.0.27:443","upstream_transport_failure_reason":"-","route_name":"-","response_code":"503","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36","response_flags":"UC","start_time":"2020-01-07T15:27:17.244Z","method":"GET","request_id":"6bee7a01-b823-499d-857a-a2c6025409c3"}

Extra info

istioctl authn tls-check istio-ingressgateway-564dc4b8dc-gng28.istio-system njb.default.svc.cluster.local
HOST:PORT                              STATUS     SERVER     CLIENT           AUTHN POLICY     DESTINATION RULE
njb.default.svc.cluster.local:8080     OK         STRICT     ISTIO_MUTUAL     /default         istio-system/default

Expected behavior
The application should run without error message over ingress gateway.

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)
1.4.2

How was Istio installed?
helm template

Environment where bug was observed (cloud vendor, OS, etc)
AKS

upstream connect error or disconnect/reset before headers. reset reason: connection termination #19966

Bug description
I upgraded istio from 1.3.6 to 1.4.2 and suddenly getting below error. Are there any changes that I need to make on version 1.4.2 to run previous applications? How can I debug this error to know the actual issue? In the logs there is no info other than error code 503.

upstream connect error or disconnect/reset before headers. reset reason: connection termination

I checked service is up and running with the valid endpoint.

service.yaml

Application istio-proxy logs

ingress gateway logs

Extra info

Expected behavior
The application should run without error message over ingress gateway.

Version (include the output of istioctl version —remote and kubectl version and helm version if you used Helm)
1.4.2

How was Istio installed?
helm template

Environment where bug was observed (cloud vendor, OS, etc)
AKS

The text was updated successfully, but these errors were encountered:

Not sure why is this happening but when I added name in Service ports it worked.

Just commenting here to say that I encountered this same error ( upstream connect error or disconnect/reset before headers. reset reason: connection termination ) when I upgraded from 1.3 to 1.4 and wasted a ton of time trying to debug and figure out what exactly was causing it. I was able to downgrade to 1.3.x with no issue so it was not a huge blocker or anything but just had no idea how to fix it.

Your solution of adding names to the ports in the Kubernetes Services worked for me and I am very grateful.

This should be documented somewhere as it is not obvious. Kubernetes Service port names are optional if you only have a single port and I am sure a lot of other people are hitting this wall. Here for example.

Thx @rnkhouse, it works for me too

I had this same issue too when I upgraded to Istio 1.4.6, but I did NOT see it with Istio 1.4.3. However, simply giving the port a name did not work. I had previously named it interface , but that resulted in the above error. When I named it http , then it worked fine.

see it too with istio 1.4.4

I’ve just run into this as well (tested in 1.4.0 — same symptom was observed on 1.4.6) — this feels like something that should’ve been mentioned at https://istio.io/news/releases/1.4.x/announcing-1.4/upgrade-notes/
It looks like things like https://github.com/helm/charts/blob/master/stable/concourse/templates/web-svc.yaml#L36 are incompatible with this requirement?

Setting PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND=false in the istio-pilot deployment environment and deleting the istio-ingressgateway/concourse-web pods has also done the trick, with an atc ServicePort name.
I’ve also found that skipping 1.4.x entirely and going to 1.5 is fine.

Had same issue for jaeger service. Having istio 1.4.3 version.
Changed port name from query-http to http-query and it worked!
Please fix it.

Not sure why is this happening but when I added name in Service ports it worked.

This one worked for us too.. phew.. great save.

FWIW I had the same problem with the service port names. Though in my case it was that grpcurl could talk to the gRPC server backend behind envoy, where some webapp could not. So I changed name from grpc to grpc-web and made it work for both the webapp and grpcurl . There is something about upgrading HTTP 1.1 to HTTP 2 that I do not fully understand why the Kubernetes service name would have such an effect. grpcurl speaks HTTP 2 natively whereas the gRPC web magic does not.

ports:
— port: 12306
name: web-http
targetPort: 12306

ports:
— port: 12306
name: grpc-web-http
targetPort: 12306

Just to make it clear for others, the name is not a free text.

© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник

upstream connect error or disconnect/reset before headers #2852

I and others have recently been seeing the «upstream connect error or disconnect/reset before headers» error with some frequency.

It doesn’t seem to be deterministic, for example, only one of the below requests failed.

and upon refreshing the page, a different one, or more, of those same requests may fail.

The errors seem to dissipate after refreshing the page a few times, and I have not yet encountered this while port-forwarding, as opposed to using the «cluster.endpoints.project.cloud.goog» URL for my deployment.

I wasn’t sure if this should be its own issue, or should be added to #1710.

The text was updated successfully, but these errors were encountered:

I think upstream errors are an issue indicating that Ambassador thinks the backend its forwarding traffic to is unhealthy.

Are there particular backends you are seeing this error with?

I have seen the same error. This is happening to me when loading runs for a scheduled pipeline in pipeline UI. @jlewi Do you think this can be caused by pipeline?

FWIW this is happening among a batch of requests. the rest of the requests succeeded indicating the backend should be running.

I think upstream errors are an issue indicating that Ambassador thinks the backend its forwarding traffic to is unhealthy.

Are there particular backends you are seeing this error with?

This is happening with the root Kubeflow UX on Kubeflow deploayments with IAM enabled.
It seems to be happening more and more. Previously it was happening after waiting for several hours. Not it can happen after few minutes.

@Ark-kun @IronPan @rileyjbauer when you observe this error can you take a look and provide your Ambassador pod logs?

I noticed this and when I looked at the logs (see below) I saw errors like the following

If you observe this I might suggest trying to kill all your Ambassador pods.

Ambassador tries to setup a K8s watch on the APIServer to be notified about service changes. It looks like it is having a problem establishing a connection to the APIServer.

The problem might be dependent on Ambassador as well as your APIServer; is your APIServer under a lot of load?

We are using
quay.io/datawire/ambassador:0.37.0

It might be worth trying a newer version of Ambassador.

@ellis-bigelow Do you recall what the performance issues with Ambassador you saw were?
ambassador-5cf8cd97d5-pqrsw.pods.txt

I ran into this problem while installing seldon to my cluster. I added it in twice, once as seldon and another time as seldon-core. This might have been the root cause for this issue, as well as argocd not syncing.

Thanks for the direction @jlewi

I tried killing the pods and after the new ones were up, but I continued to see the errors, and there didn’t seem to be anything notable in the ambassador or API server pod logs

Seeing this too from recent master in EC2. Went down to 1 ambassador replica but no joy.

Re posting as this thread seems more recent and active.

Envoy upstream had an issue that only recently was fixed in dev but not yet fixed in any stable version where if the service it was proxying to ended the connection with a FIN/ACK envoy would responding with only an ACK and still leave it in its connection pool and would send the next request to that service using that connection.

The service would receive it, say a get request, and then send a RST as since it had already FIN/ACK ed it doens’t have a way to reply to the request.

Its a roll of the dice whether your request get loaded to an http connection in the pool that is already dead but envoy doesn’t know it or goes to a live one which is why the symptoms of this issue are so intermittent.

May be related to what your seeing, to confirm if you have a way to capture packets on the service side you should see the weird behavoir of the service doing a FIN/ACK but envoy only responding with ACK and then sometime later sending another request on that TCP stream triggering the service to send a RST .

In envoy 1.10 they improved the message you get back so after upstream connect error or disconnect/reset before headers you will get more information, in my case got a message like connection terminated so if you upgrade to the latest envoy you may at least get additional information to confirm this what the source of the problem is even if it isn’t this specific envoy issue.

Источник

«upstream connect error or disconnect/reset before headers. reset reason: connection failure» error for .NET Core apps run in docker-compose #15727

Description:
Hello, I have 2 .NET Core apps (Razor-pages web app and GRPC Service) running in docker-compose. Both are running in different localhost ports. If I access them via localhost, like:

• http://localhost:5105/ or http://127.0.0.1:5105 — for the web app,
• http://localhost:5104/ or http://127.0.0.1:5104 — for the GRPC
  both are working. But when I added the envoy configuration listener and clusters and trying to access via:
• http://localhost:8080/imageslibs
• http://localhost:8080/imagesservice

Envoy returns the exception upstream connect error or disconnect/reset before headers. reset reason: connection failure for both apps.
The docker-compose.yml:
version: ‘3.4’

Config:
Envoy’s dockerfile:

front-envoy_1 | [2021-03-28 16:47:54.444][14][debug][http] [source/common/http/conn_manager_impl.cc:255] [C6] new stream
front-envoy_1 | [2021-03-28 16:47:54.445][14][debug][http] [source/common/http/conn_manager_impl.cc:883] [C6][S14144009116599918894] request headers complete (end_stream=true):
front-envoy_1 | ‘:authority’, ‘localhost:8080’
front-envoy_1 | ‘:path’, ‘/imageslibs’
front-envoy_1 | ‘:method’, ‘GET’
front-envoy_1 | ‘connection’, ‘keep-alive’
front-envoy_1 | ‘cache-control’, ‘max-age=0’
front-envoy_1 | ‘sec-ch-ua’, ‘»Google Chrome»;v=»89″, «Chromium»;v=»89″, «;Not A Brand»;v=»99″‘
front-envoy_1 | ‘sec-ch-ua-mobile’, ‘?0’
front-envoy_1 | ‘upgrade-insecure-requests’, ‘1’
front-envoy_1 | ‘user-agent’, ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36’
front-envoy_1 | ‘accept’, ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9′
front-envoy_1 | ‘sec-fetch-site’, ‘none’
front-envoy_1 | ‘sec-fetch-mode’, ‘navigate’
front-envoy_1 | ‘sec-fetch-user’, ‘?1’
front-envoy_1 | ‘sec-fetch-dest’, ‘document’
front-envoy_1 | ‘accept-encoding’, ‘gzip, deflate, br’
front-envoy_1 | ‘accept-language’, ‘en-US,en;q=0.9’
front-envoy_1 | ‘cookie’, ‘idsrv.session=NlW8VRtzuNJguQYDdVVpIA; .AspNetCore.Cookie=CfDJ8BR22IBZi6xAvAD2wBqZBlG2IUeWsw7hHPiNq4LrY2HBNRWyhGZ2gZuzRIbMi9MLO7IDORqkSIvDTuZDsLDz6RYtLccXi9x2CwlSzHS169Pgs3hs6biCcFKuriLkWZ4lpWHv4OCqZdO4lGgWmdzcrf2ctQbQOA-xPS7O7NSoQ0-a8VGjjthlIolqaxh5gYLtvvdjSI043UZWVOCb_ZDnFNiD4H_WKAtpKmdENFk_4NbSZmmQ3Indj2ty72kNNUUv8OLEswzxI5dBGA9AYI7i-lzMjbl8GjXNhplHR5j7XJTgG7i9dsF2antRfonV_IpL4sabtmLhdti-ZaumXhPewS702E_1BKo-8ELV3LOMfiE_jdkKJTPR15sCSWkSo0-nllUoQczL7de0F8KMolWK8KoB13z8E388w2juHXnmiDYQIAn3MWzKUvhH_bhgK_ZBCEExWvDqgGRRBroI90Nvg6IAwc_-PoJcPE1HE2i6ouzdkNXoBRg6IQWmelHAtDb8uI2CYzYeBu3zYrnJq28vOhAx_Qpr_y7A0GenqHyJO5cw; .AspNetCore.Antiforgery.9TtSrW0hzOs=CfDJ8Do6rlT2pe5IndjlZXmKm7GvuVL61tmcxXKqGH7eWnem071yNAndO5zwY5WDwxxHjY8CnoRIsalbkPMWIIq_ZFysZ-fkQJJdPm78T8dCxUe5DGeKiJqu5GjjEldMAkcnvmYjNYO9Ht13ldBWwzbBUqs’
front-envoy_1 |
front-envoy_1 | [2021-03-28 16:47:54.445][14][debug][http] [source/common/http/filter_manager.cc:774] [C6][S14144009116599918894] request end stream
front-envoy_1 | [2021-03-28 16:47:54.445][14][debug][router] [source/common/router/router.cc:426] [C6][S14144009116599918894] cluster ‘imageslibs’ match for URL ‘/imageslibs’
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][router] [source/common/router/router.cc:583] [C6][S14144009116599918894] router decoding headers:
front-envoy_1 | ‘:authority’, ‘localhost:8080’
front-envoy_1 | ‘:path’, ‘/imageslibs’
front-envoy_1 | ‘:method’, ‘GET’
front-envoy_1 | ‘:scheme’, ‘http’
front-envoy_1 | ‘cache-control’, ‘max-age=0’
front-envoy_1 | ‘sec-ch-ua’, ‘»Google Chrome»;v=»89″, «Chromium»;v=»89″, «;Not A Brand»;v=»99″‘
front-envoy_1 | ‘sec-ch-ua-mobile’, ‘?0’
front-envoy_1 | ‘upgrade-insecure-requests’, ‘1’
front-envoy_1 | ‘user-agent’, ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36’
front-envoy_1 | ‘accept’, ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9′
front-envoy_1 | ‘sec-fetch-site’, ‘none’
front-envoy_1 | ‘sec-fetch-mode’, ‘navigate’
front-envoy_1 | ‘sec-fetch-user’, ‘?1’
front-envoy_1 | ‘sec-fetch-dest’, ‘document’
front-envoy_1 | ‘accept-encoding’, ‘gzip, deflate, br’
front-envoy_1 | ‘accept-language’, ‘en-US,en;q=0.9’
front-envoy_1 | ‘cookie’, ‘idsrv.session=NlW8VRtzuNJguQYDdVVpIA; .AspNetCore.Cookie=CfDJ8BR22IBZi6xAvAD2wBqZBlG2IUeWsw7hHPiNq4LrY2HBNRWyhGZ2gZuzRIbMi9MLO7IDORqkSIvDTuZDsLDz6RYtLccXi9x2CwlSzHS169Pgs3hs6biCcFKuriLkWZ4lpWHv4OCqZdO4lGgWmdzcrf2ctQbQOA-xPS7O7NSoQ0-a8VGjjthlIolqaxh5gYLtvvdjSI043UZWVOCb_ZDnFNiD4H_WKAtpKmdENFk_4NbSZmmQ3Indj2ty72kNNUUv8OLEswzxI5dBGA9AYI7i-lzMjbl8GjXNhplHR5j7XJTgG7i9dsF2antRfonV_IpL4sabtmLhdti-ZaumXhPewS702E_1BKo-8ELV3LOMfiE_jdkKJTPR15sCSWkSo0-nllUoQczL7de0F8KMolWK8KoB13z8E388w2juHXnmiDYQIAn3MWzKUvhH_bhgK_ZBCEExWvDqgGRRBroI90Nvg6IAwc_-PoJcPE1HE2i6ouzdkNXoBRg6IQWmelHAtDb8uI2CYzYeBu3zYrnJq28vOhAx_Qpr_y7A0GenqHyJO5cw; .AspNetCore.Antiforgery.9TtSrW0hzOs=CfDJ8Do6rlT2pe5IndjlZXmKm7GvuVL61tmcxXKqGH7eWnem071yNAndO5zwY5WDwxxHjY8CnoRIsalbkPMWIIq_ZFysZ-fkQJJdPm78T8dCxUe5DGeKiJqu5GjjEldMAkcnvmYjNYO9Ht13ldBWwzbBUqs’
front-envoy_1 | ‘x-forwarded-proto’, ‘http’
front-envoy_1 | ‘x-request-id’, ‘6def488d-7020-4a79-acee-d1bd5a9f7252’
front-envoy_1 | ‘x-envoy-expected-rq-timeout-ms’, ‘15000’
front-envoy_1 |
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][pool] [source/common/http/conn_pool_base.cc:79] queueing stream due to no available connections
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][pool] [source/common/conn_pool/conn_pool_base.cc:229] trying to create new connection
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][pool] [source/common/conn_pool/conn_pool_base.cc:132] creating a new connection
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][client] [source/common/http/codec_client.cc:41] [C8] connecting
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][connection] [source/common/network/connection_impl.cc:861] [C8] connecting to 127.0.0.1:5105
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][connection] [source/common/network/connection_impl.cc:880] [C8] connection in progress
front-envoy_1 | [2021-03-28 16:47:54.446][14][debug][connection] [source/common/network/connection_impl.cc:671] [C8] delayed connection error: 111
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][connection] [source/common/network/connection_impl.cc:243] [C8] closing socket: 0
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][client] [source/common/http/codec_client.cc:101] [C8] disconnect. resetting 0 pending requests
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][pool] [source/common/conn_pool/conn_pool_base.cc:380] [C8] client disconnected, failure reason:
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][router] [source/common/router/router.cc:1040] [C6][S14144009116599918894] upstream reset: reset reason: connection failure, transport failure reason:
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][http] [source/common/http/filter_manager.cc:858] [C6][S14144009116599918894] Sending local reply with details upstream_reset_before_response_started
front-envoy_1 | [2021-03-28 16:47:54.447][14][debug][http] [source/common/http/conn_manager_impl.cc:1454] [C6][S14144009116599918894] encoding headers via codec (end_stream=false):
front-envoy_1 | ‘:status’, ‘503’
front-envoy_1 | ‘content-length’, ’91’
front-envoy_1 | ‘content-type’, ‘text/plain’
front-envoy_1 | ‘date’, ‘Sun, 28 Mar 2021 16:47:54 GMT’
front-envoy_1 | ‘server’, ‘envoy’

Here is the localhost:9999/clusters output:

imageslibs::default_priority::max_connections::1024
imageslibs::default_priority::max_pending_requests::1024
imageslibs::default_priority::max_requests::1024
imageslibs::default_priority::max_retries::3
imageslibs::high_priority::max_connections::1024
imageslibs::high_priority::max_pending_requests::1024
imageslibs::high_priority::max_requests::1024
imageslibs::high_priority::max_retries::3
imageslibs::added_via_api::false
imageslibs::127.0.0.1:5105::cx_active::0
imageslibs::127.0.0.1:5105::cx_connect_fail::2
imageslibs::127.0.0.1:5105::cx_total::2
imageslibs::127.0.0.1:5105::rq_active::0
imageslibs::127.0.0.1:5105::rq_error::2
imageslibs::127.0.0.1:5105::rq_success::0
imageslibs::127.0.0.1:5105::rq_timeout::0
imageslibs::127.0.0.1:5105::rq_total::0
imageslibs::127.0.0.1:5105::hostname::127.0.0.1
imageslibs::127.0.0.1:5105::health_flags::healthy
imageslibs::127.0.0.1:5105::weight::1
imageslibs::127.0.0.1:5105::region::
imageslibs::127.0.0.1:5105::zone::
imageslibs::127.0.0.1:5105::sub_zone::
imageslibs::127.0.0.1:5105::canary::false
imageslibs::127.0.0.1:5105::priority::0
imageslibs::127.0.0.1:5105::success_rate::-1.0
imageslibs::127.0.0.1:5105::local_origin_success_rate::-1.0
secure_imageslibs::default_priority::max_connections::1024
secure_imageslibs::default_priority::max_pending_requests::1024
secure_imageslibs::default_priority::max_requests::1024
secure_imageslibs::default_priority::max_retries::3
secure_imageslibs::high_priority::max_connections::1024
secure_imageslibs::high_priority::max_pending_requests::1024
secure_imageslibs::high_priority::max_requests::1024
secure_imageslibs::high_priority::max_retries::3
secure_imageslibs::added_via_api::false
secure_imageslibs::127.0.0.1:9105::cx_active::0
secure_imageslibs::127.0.0.1:9105::cx_connect_fail::0
secure_imageslibs::127.0.0.1:9105::cx_total::0
secure_imageslibs::127.0.0.1:9105::rq_active::0
secure_imageslibs::127.0.0.1:9105::rq_error::0
secure_imageslibs::127.0.0.1:9105::rq_success::0
secure_imageslibs::127.0.0.1:9105::rq_timeout::0
secure_imageslibs::127.0.0.1:9105::rq_total::0
secure_imageslibs::127.0.0.1:9105::hostname::127.0.0.1
secure_imageslibs::127.0.0.1:9105::health_flags::healthy
secure_imageslibs::127.0.0.1:9105::weight::1
secure_imageslibs::127.0.0.1:9105::region::
secure_imageslibs::127.0.0.1:9105::zone::
secure_imageslibs::127.0.0.1:9105::sub_zone::
secure_imageslibs::127.0.0.1:9105::canary::false
secure_imageslibs::127.0.0.1:9105::priority::0
secure_imageslibs::127.0.0.1:9105::success_rate::-1.0
secure_imageslibs::127.0.0.1:9105::local_origin_success_rate::-1.0
imagesservice::default_priority::max_connections::1024
imagesservice::default_priority::max_pending_requests::1024
imagesservice::default_priority::max_requests::1024
imagesservice::default_priority::max_retries::3
imagesservice::high_priority::max_connections::1024
imagesservice::high_priority::max_pending_requests::1024
imagesservice::high_priority::max_requests::1024
imagesservice::high_priority::max_retries::3
imagesservice::added_via_api::false
imagesservice::127.0.0.1:5104::cx_active::0
imagesservice::127.0.0.1:5104::cx_connect_fail::1
imagesservice::127.0.0.1:5104::cx_total::1
imagesservice::127.0.0.1:5104::rq_active::0
imagesservice::127.0.0.1:5104::rq_error::1
imagesservice::127.0.0.1:5104::rq_success::0
imagesservice::127.0.0.1:5104::rq_timeout::0
imagesservice::127.0.0.1:5104::rq_total::0
imagesservice::127.0.0.1:5104::hostname::127.0.0.1
imagesservice::127.0.0.1:5104::health_flags::healthy
imagesservice::127.0.0.1:5104::weight::1
imagesservice::127.0.0.1:5104::region::
imagesservice::127.0.0.1:5104::zone::
imagesservice::127.0.0.1:5104::sub_zone::
imagesservice::127.0.0.1:5104::canary::false
imagesservice::127.0.0.1:5104::priority::0
imagesservice::127.0.0.1:5104::success_rate::-1.0
imagesservice::127.0.0.1:5104::local_origin_success_rate::-1.0

The text was updated successfully, but these errors were encountered:

Источник

This page describes how to troubleshoot errors that you receive in a response
from a request to your API.

BAD_GATEWAY

If you receive error code 13 and the message BAD_GATEWAY, this indicates
that the Extensible Service Proxy (ESP) can’t reach the service’s backend.
Check the following:

• Make sure the backend service is running. How you do that depends on
  the backend.
  • For the App Engine flexible environment, the error code for the
    BAD_GATEWAY message might be 502. See the
    Errors specific to App Engine flexible environment
    section for more information.
  • For Compute Engine see
    Troubleshooting Cloud Endpoints on Compute Engine
    for details.
  • For GKE, you need to use SSH to access the pod and use
    curl. See
    Troubleshooting
    Endpoints in Google Kubernetes Engine
    for details.
• The correct IP address port of the backend service is specified:
  • For GKE, check the ESP --backend flag value
    (the short option is -a) in your deployment manifest file (often
    called deployment.yaml).
  • For Compute Engine check the ESP --backend flag value
    (the short option is -a) in the docker run command.

reset reason: connection failure

If you receive HTTP code 503 or gRPC code 14 and the message upstream connect error or disconnect/reset before headers. reset reason: connection failure, this indicates
that ESPv2 can’t reach the service’s backend.

To troubleshoot, double check the items below.

Backend Address

ESPv2 should be configured with the correct backend address. Common issues include:

• The scheme of the backend address should match the backend application type.
  OpenAPI backends should be http:// and gRPC backends should be grpc://.
• For ESPv2 deployed on Cloud Run, the scheme of the backend address should be either https:// or grpcs://.
  The s tells ESPv2 to set up TLS with the backend.

DNS Lookup

By default, ESPv2 attempts to resolve domain names to IPv6 addresses.
If the IPv6 resolution fails, ESPv2 falls back to IPv4 addresses.

For some networks, the fallback mechanism may not work as intended.
Instead, you can force ESPv2 to use IPv4 addresses via the
--backend_dns_lookup_family flag.

This error is common if you configure a Serverless VPC Connector
for ESPv2 deployed on Cloud Run. VPCs do not support IPv6 traffic.

API is not enabled for the project

If you sent an API key in the request, an error message like «API
my-api.endpoints.example-project-12345.cloud.goog is not enabled for the
project» indicates that the API key was created in a different Google Cloud
project than the API. To fix this, you can either
create the API key
in the same Google Cloud project that the API is associated with, or you
can
enable the API
in the Google Cloud project that
the API key was created in.

Service control request failed with HTTP response code 403

If you receive error code 14 and the message Service control request failed
with HTTP response code 403, this indicates that the Service Control API
(servicecontrol.googleapis.com) isn’t enabled on the project.

1. See Checking required services
   to make sure that all the services that Endpoints and
   ESP require are enabled on your project.

2. See Checking required permissions
   to make sure that all the required permissions to the service account associated with the instance running ESP.

Method doesn't allow unregistered callers

ESP responds with the error,
Method doesn't allow unregistered callers, when you have specified an API key
in the security section in your OpenAPI document, but the request to your API
doesn’t have an API key assigned to a query parameter named key.

If you need to generate an API key to make calls to your API, see
Creating an API key.

Method does not exist

The response, Method does not exist, means that the HTTP method
(GET, POST, or other) on the specified URL path wasn’t found. To
troubleshoot, compare the service configuration that you have deployed to make
sure that the method name and URL path that you are sending in the request
match:

1. In the Google Cloud console, go to the Endpoints Services page for
   your project.

   Go to the Endpoints Services page

2. If you have more than one API, select the API that you sent the request to.

3. Click the Deployment history tab.

4. Select the latest deployment to see the service configuration.

If you don’t see the method you are calling specified in the paths section
of your OpenAPI document, either add the method, or add the x-google-allow
flag at the top level of the file:

x-google-allow: all

This flag means that you can avoid listing all methods supported in your backend
in your OpenAPI document. When all is used, all calls—with or without an
API key or user authentication—pass through ESP to your
API. See
x-google-allow
for more information.

Errors specific to the App Engine flexible environment

This section describes error responses from APIs deployed on the
App Engine flexible environment.

Error code 502 or 503

App Engine may take a few minutes to respond successfully to requests.
If you send a request and get back an HTTP 502, 503, or some other server
error, wait a minute and try the request again.

Error message BAD_GATEWAY

An error code 502 with BAD_GATEWAY in the message usually indicates that
App Engine terminated the application because it ran out of memory.
The default App Engine flexible VM only has 1GB of memory, with only
600MB available for the application container.

To troubleshoot error code 502:

1. In the Google Cloud console, go to the Logging page:

   Go to the Logs Explorer page

2. Select the applicable Google Cloud project at the top of the page.

3. Select Google App Engine Application and open vm.syslog.

4. Look for a log entry similar to the following:

   kernel: [  133.706951] Out of memory: Kill process 4490 (java) score 878 or sacrifice child
   kernel: [  133.714468] Killed process 4306 (java) total-vm:5332376kB, anon-rss:2712108kB, file-rss:0kB
   

   If you see an Out of memory entry in the log:

   1. Add the following to your app.yaml file to increase the size of the
      default VM:

      resources:
        memory_gb: 4
      

   2. Redeploy your API:

      gcloud app deploy
      

If you have the rollout_strategy: managed option specified in the
endpoints_api_service section of the app.yaml file, use the following command
to redeploy your API:

  gcloud app deploy

See
Deploying your API and ESP
for more information.

Checking the Cloud Logging logs

To use the Cloud Logging logs to help troubleshoot response errors:

1. In the Google Cloud console, go to the Logging page.

   Go to the Logs Explorer page

2. At the top of the page, select the Google Cloud project.

3. Using the drop-down menu on the left, select Produced API >
   [YOUR_SERVICE_NAME].

4. Adjust the time range until you see a row that shows your response error.

5. Expand the JSON payload and look for error_cause.

   • If the error_cause is set to application, this indicates an issue in
     your code.

   • If the error cause is anything else and you are unable to fix the issue,
     export the log
     and include it in any communication that you have with Google.

See the following for more information:

• For details on the structure of the logs in the Logs Explorer, see the
  Endpoints logs reference

• Get started using the Logs Explorer.

• Use Advanced log queries
  for advanced filtering, such as getting all requests with a latency greater
  than 300 milliseconds.

Issues with the example Invoke-WebRequest

In some versions of Windows PowerShell, the example Invoke-WebRequest in the
tutorials
fails. We have also received a report that the response contained a list of
unsigned bytes that had to be converted to characters. If the example
Invoke-WebRequest didn’t return the expected result, try sending the request
using another application. Following are a few suggestions:

• Start Cloud Shell
  and follow the Linux steps in the tutorial that you were using to send the
  request.

• Install a third-party application, such as the Chrome browser extension Postman
  (offered by www.getpostman.com). When creating the request in Postman:

  • Select POST as the HTTP verb.
  • For the header, select the key content-type and the value
    application/json.
  • For the body, enter: {"message":"hello world"}

  • In the URL, use the actual API key rather than the environment variable.
    For example:

    • On the App Engine flexible environment: https://example-project-12345.appspot.com/echo?key=AIza...
    • On other backends: http://192.0.2.0:80/echo?key=AIza...

• Download and install curl, which you
  run in the command prompt. Because Windows doesn’t handle double quotation
  marks nested inside single quotation marks, you have to change the --data
  option in the example to:

  --data "{"message":"hello world"}"
  

We have deployed an application behind the istio ingress gateway and is accessible at test.domain.com/jenkinscore.We have used istio 1.4.5. The domain name is created for the istio ingress gateway service IP. As per the below logs, when we hit this URL, istio-proxy is throwing a 403 error: upstream connect error or disconnect/reset before headers. reset reason: connection failure .
Below are the logs. This happens only intermittently. On re-starting the ingress gateway pod, issue gets resolved. Can anyone let us know what could be the reason for this error?

:42:20.798][46][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:259] [C2469] new stream
[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:483] [C2469] recv frame type=1
[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:708] [C2469][S10386582713969444678] request headers complete (end_stream=true):
':method', 'GET'
':authority', 'test.domain.com'
':scheme', 'https'
':path', '/jenkinscore'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'cross-site'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'

[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1257] [C2469][S10386582713969444678] request end stream
[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][debug][jwt] [external/envoy/source/extensions/filters/http/jwt_authn/filter.cc:101] Called Filter : setDecoderFilterCallbacks
[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][debug][filter] [src/envoy/http/mixer/filter.cc:47] Called Mixer::Filter : Filter
[Envoy (Epoch 1)] [2020-06-09 11:42:20.798][46][debug][filter] [src/envoy/http/mixer/filter.cc:148] Called Mixer::Filter : setDecoderFilterCallbacks
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][filter] [external/envoy/source/extensions/filters/http/ext_authz/ext_authz.cc:80] [C2469][S10386582713969444678] ext_authz filter calling authorization server
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][router] [external/envoy/source/common/router/router.cc:434] [C0][S9059969016458298666] cluster 'ext_authz' match for URL '/envoy.service.auth.v2.Authorization/Check'
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][router] [external/envoy/source/common/router/router.cc:549] [C0][S9059969016458298666] router decoding headers:
':method', 'POST'
':path', '/envoy.service.auth.v2.Authorization/Check'
':authority', 'ext_authz'
':scheme', 'http'
'te', 'trailers'
'grpc-timeout', '10000m'
'content-type', 'application/grpc'
'x-b3-traceid', 'a4xxxx3471f0f7496063d056b2d9'
'x-b3-spanid', '7a236se1c6c190'
'x-b3-parentspanid', 'f7496063d056b2d9'
'x-b3-sampled', '0'
'x-envoy-internal', 'true'
'x-forwarded-for', '10.48.3.5'
'x-envoy-expected-rq-timeout-ms', '10000'

[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][client] [external/envoy/source/common/http/codec_client.cc:31] [C2470] connecting
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][connection] [external/envoy/source/common/network/connection_impl.cc:711] [C2470] connecting to 127.0.0.1:10003
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][connection] [external/envoy/source/common/network/connection_impl.cc:720] [C2470] connection in progress
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][http2] [external/envoy/source/common/http/http2/codec_impl.cc:912] [C2470] setting stream-level initial window size to 268435456
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][http2] [external/envoy/source/common/http/http2/codec_impl.cc:934] [C2470] updating connection-level initial window size to 268435456
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][pool] [external/envoy/source/common/http/conn_pool_base.cc:20] queueing request due to no available connections
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][router] [external/envoy/source/common/router/router.cc:1475] [C0][S9059969016458298666] buffering 1023 bytes
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:966] [C2469][S10386582713969444678] decode headers called: filter=0x559dc3768780 status=4
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:424] [C2469] dispatched 441 bytes
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:666] [C2469] about to send frame type=4, flags=0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:720] [C2469] send data: bytes=15
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:398] [C2469] writing 15 bytes, end_stream false
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:608] [C2469] sent frame type=4
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:666] [C2469] about to send frame type=4, flags=1
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:720] [C2469] send data: bytes=9
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:398] [C2469] writing 9 bytes, end_stream false
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:608] [C2469] sent frame type=4
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:666] [C2469] about to send frame type=8, flags=0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:720] [C2469] send data: bytes=13
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:398] [C2469] writing 13 bytes, end_stream false
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http2] [external/envoy/source/common/http/http2/codec_impl.cc:608] [C2469] sent frame type=8
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:462] [C2469] socket event: 2
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:550] [C2469] write ready
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:259] [C2469] ssl write returns: 37
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:462] [C2470] socket event: 3
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][connection] [external/envoy/source/common/network/connection_impl.cc:550] [C2470] write ready
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][connection] [external/envoy/source/common/network/connection_impl.cc:568] [C2470] delayed connection error: 111
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][connection] [external/envoy/source/common/network/connection_impl.cc:193] [C2470] closing socket: 0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][client] [external/envoy/source/common/http/codec_client.cc:88] [C2470] disconnect. resetting 0 pending requests
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][pool] [external/envoy/source/common/http/http2/conn_pool.cc:152] [C2470] client disconnected
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][router] [external/envoy/source/common/router/router.cc:911] [C0][S9059969016458298666] upstream reset: reset reason connection failure
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][http] [external/envoy/source/common/http/async_client_impl.cc:93] async http request response headers (end_stream=true):
':status', '200'
'content-type', 'application/grpc'
'grpc-status', '14'
'grpc-message', 'upstream connect error or disconnect/reset before headers. reset reason: connection failure'

[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][filter] [external/envoy/source/extensions/filters/http/ext_authz/ext_authz.cc:244] [C2469][S10386582713969444678] ext_authz filter rejected the request with an error. Response status code: 403
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1354] [C2469][S10386582713969444678] Sending local reply with details ext_authz_error
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1441] [C2469][S10386582713969444678] encode headers called: filter=0x559dc3646d20 status=0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1441] [C2469][S10386582713969444678] encode headers called: filter=0x559dc3554730 status=0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][filter] [src/envoy/http/mixer/filter.cc:135] Called Mixer::Filter : encodeHeaders 0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1441] [C2469][S10386582713969444678] encode headers called: filter=0x559dc35ce1e0 status=0
[Envoy (Epoch 1)] [2020-06-09 11:42:20.799][46][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1552] [C2469][S10386582713969444678] encoding headers via codec (end_stream=true):
':status', '403'
'date', 'Tue, 09 Jun 2020 11:42:20 GMT'
'server', 'istio-envoy'