istio: Mysterious 503's on long running requests

Bug description We are seeing intermittent 503’s on long running requests. We have an endpoint that takes around 4 minutes to respond, and it can fail any time within that. We’ve seen as low as 6 s. Sometimes it completes without issue.

The flow looks like this:

[ingress-nginx-internal] -> [search-one]

It always fails in the same way:

• DC flag from the destination search-one envoy
• UC flag from the source ingress-nginx-internal envoy

sort_desc(sum(increase(istio_requests_total{destination_app="search-one", response_code!~"2.*"}[1h])) by (reporter, response_flags, source_app, destination_app) > 0)

{destination_app="search-one",reporter="destination",response_flags="DC",source_app="ingress-nginx-internal"} | 3.0252100840336134
{destination_app="search-one",reporter="source",response_flags="UC",source_app="ingress-nginx-internal"} | 3.0252100840336134

We’re at a bit of a loss at the moment, and wondering if you’ve seen anything like this before.

If we curl the application locally on the pod (bypassing envoy), we do not see a failure.

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure [ ] Docs [ ] Installation [x] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Expected behavior Not to see 503’s on these long running requests.

Steps to reproduce the bug Very difficult to give you an exact reproducible state as it’s inconsistent. More than happy to screen share and live debug.

Version (include the output of istioctl version --remote and kubectl version) 1.3.3

How was Istio installed? Helm

Environment where bug was observed (cloud vendor, OS, etc) GKE 1.14

Additionally, please consider attaching a cluster state archive by attaching the dump file to this issue.