Does Istio have a default timeout for HTTP requests?

Yes, Istio applies a default 15-second timeout to all HTTP routes. If your upstream service takes longer than 15 seconds to respond, Istio will aggressively terminate the connection and return a 504 Gateway Timeout unless you explicitly configure the 'timeout' field in your VirtualService.

What does the Envoy access log flag 'UF,URX' mean?

'UF' stands for Upstream Failure, and 'URX' indicates the request was rejected due to a connection limit or failure to establish a connection. This combination frequently points to an mTLS configuration mismatch, a missing DestinationRule, or the upstream application crashing.

Why am I getting a 503 Connection Refused after enabling strict mTLS?

When PeerAuthentication is set to STRICT, the server's Envoy proxy will reject any incoming traffic that is not encrypted with Istio's mutual TLS. Ensure the client making the request also has an Envoy sidecar injected and that no DestinationRule is explicitly disabling TLS for that route.

How do I fix timeouts for a specific path but keep defaults for others?

You can configure granular timeouts in your VirtualService by defining multiple HTTP routes. Use 'match' conditions to target specific URIs (e.g., '/long-report') and set a custom 'timeout: 60s' for that block, while leaving the default timeout for the catch-all route.

My application works without Istio, but gets 'connection refused' with the sidecar injected. Why?

The most common culprit is that your application process is binding exclusively to '127.0.0.1' (localhost). Because the Envoy sidecar forwards traffic via the pod's internal network interface, the application must be configured to bind to '0.0.0.0' to accept requests from the proxy.

Troubleshooting Istio 504 Gateway Timeout and 503 Connection Refused Errors: A Comprehensive Guide

Troubleshooting Approaches Compared
Method	When to Use	Time	Risk
Increase VirtualService Timeout	When upstream legitimately requires >15s to process requests.	5 mins	Low
Inspect Envoy Access Logs	To decipher specific connection drop reasons via Envoy response flags.	10 mins	Low
Reconfigure PeerAuthentication	When 503s appear after enabling mTLS strictly across a namespace.	15 mins	High (Security)
Enable Envoy Debug Logging	When standard logs lack detail on why a connection is refused.	5 mins	Medium (Disk/CPU Overhead)

Understanding the Error

When operating microservices within an Istio service mesh, two of the most frustrating and common errors encountered are 504 Gateway Timeout and 503 Service Unavailable / Connection Refused. Because Istio injects an Envoy proxy sidecar into every pod, the network topology is significantly more complex than a standard Kubernetes cluster. A request from Service A to Service B traverses A's egress Envoy, the network, and B's ingress Envoy before ever hitting the application container.

When a timeout or connection refusal occurs, the root cause could reside in the application itself, the local sidecar, the remote sidecar, the ingress gateway, or the Istio control plane (istiod) failing to push the correct configuration.

The Anatomy of an Istio Timeout

By default, Istio enforces a 15-second timeout on all HTTP routes defined in a VirtualService, even if you haven't explicitly declared one. If your upstream application takes 16 seconds to generate a response, Envoy will terminate the connection at the 15-second mark, returning an HTTP 504 Gateway Timeout to the client. In the Envoy access logs, you will typically see the response flag UT (Upstream Request Timeout).

The Anatomy of Connection Refused

A 503 Connection Refused or 503 Service Unavailable is often more complex. It usually means the proxy attempted to open a TCP connection to the upstream service but was actively rejected. In an Istio environment, this is rarely a simple case of the application being down. More often, it is a configuration mismatch. Common causes include:

mTLS Mismatches: The client is sending plaintext, but the server expects mTLS (Strict mode), or vice versa.
DestinationRule Misconfigurations: The DestinationRule lacks the correct trafficPolicy for TLS, leading Envoy to use the wrong protocol.
Headless Services: Improper handling of Kubernetes headless services by Istio's service registry.
Port Naming: Kubernetes Service ports must be named according to their protocol (e.g., http-web, grpc-api). If named incorrectly, Istio treats the traffic as raw TCP, leading to unexpected routing and connection behavior.

Step 1: Diagnose the Failure Domain

The first step in resolving either error is to determine where the failure is happening. Is it at the ingress gateway? The client sidecar? Or the server sidecar?

Inspecting Envoy Access Logs

Envoy access logs are your source of truth. By default, Istio might not log everything, so you may need to enable Envoy access logging globally or per-pod. Once enabled, examine the logs of the istio-proxy container.

Look for the Response Flags. They tell the story:

UT: Upstream Request Timeout. The upstream took too long.
UF,URX: Upstream Connection Failure. Envoy couldn't connect to the upstream. Often seen with 503s.
NR: No Route configured. Istio doesn't know where to send the traffic.
UPE: Upstream Protocol Error.

Using istioctl for Configuration Analysis

The istioctl CLI is indispensable for verifying what configuration the Envoy proxies are actually running.

Check Proxy Status: Ensure all proxies are synced with the control plane. istioctl proxy-status
Inspect Routes: If you suspect a timeout issue, check the route configuration for the specific client pod. istioctl proxy-config routes <client-pod-name> -n <namespace>
Inspect Clusters: If you suspect a connection refused/mTLS issue, inspect the Envoy clusters to see how the proxy expects to connect to the upstream. istioctl proxy-config clusters <client-pod-name> -n <namespace> --fqdn <upstream-service-fqdn>

Step 2: Fix 504 Gateway Timeouts

If you have confirmed via Envoy logs (UT flag) that the application is simply taking longer than the default 15 seconds, you need to explicitly override the timeout in your VirtualService.

Modifying the VirtualService Timeout

You must define the timeout field within the specific HTTP route of your VirtualService. Note that this timeout applies to the entire request lifecycle, including retries.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-long-running-service
  namespace: production
spec:
  hosts:
  - my-service.production.svc.cluster.local
  http:
  - route:
    - destination:
        host: my-service
    # Increase timeout to 60 seconds
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 20s

Crucial Note on Retries: If you configure retries, ensure your timeout is greater than or equal to attempts * perTryTimeout. Otherwise, the global timeout will trigger before all retries can complete.

Step 3: Fix 503 Connection Refused Errors

Resolving 503s requires verifying the network path and security policies.

1. Verify Kubernetes Service Port Naming

Istio relies on Kubernetes Service port names to determine the protocol. If your port is named my-port-8080 instead of http-8080, Istio treats it as TCP. This breaks L7 routing and can lead to connection refused errors when HTTP features are expected.

Incorrect:

ports:
- name: backend
  port: 8080

Correct:

ports:
- name: http-backend
  port: 8080

2. Validate mTLS and PeerAuthentication

If you recently enabled strict mTLS, non-mesh clients will receive connection refused errors. Conversely, if a client Envoy thinks the server requires mTLS, but the server does not, connections will fail.

Check your PeerAuthentication policies:

kubectl get peerauthentication --all-namespaces

If a namespace is set to STRICT:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

Ensure the calling service also has an Envoy sidecar injected and is configured to originate mTLS. You can verify this using the istioctl experimental authn check-policies command.

3. Check DestinationRule Traffic Policies

If your PeerAuthentication is set up correctly, ensure your DestinationRule isn't inadvertently disabling mTLS for that specific host.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-service-dr
  namespace: production
spec:
  host: my-service.production.svc.cluster.local
  trafficPolicy:
    tls:
      # Ensure this aligns with your PeerAuthentication (e.g., ISTIO_MUTUAL)
      mode: ISTIO_MUTUAL

4. Application Binding

Finally, a classic non-Istio issue that is exacerbated by Istio: ensure your application is listening on 0.0.0.0 and not just 127.0.0.1 (localhost). The Envoy sidecar proxies traffic to the application container via the pod's network interface. If the app binds only to localhost, Envoy will receive a true 'Connection Refused' from the OS network stack within the pod.