Intermittent 503 errors with passthrough routes - Client Hello timeout not missing SNI

Solution Verified - Updated 2026-03-30T05:01:19+00:00 -

Issue

Intermittent 503 Service Unavailable errors occur when accessing applications through TLS routes (passthrough or edge-terminated) in OpenShift. The issue presents as two distinct symptoms:

503 Service Unavailable errors - This HTTP status code typically indicates the backend service is not running or unavailable, but in this case the backend pods are healthy, running without restarts, and serving traffic successfully at other times.
HAProxy router access logs showing fe_no_sni~ and <NOSRV> backend - This suggests Server Name Indication (SNI) is missing from the TLS Client Hello packet. But checking the packet capture, the SNI is not missing from client hello calls.

Example Router (HAProxy) log entry:
```
2025-12-04T04:35:31.985979+00:00 router-default-xxx-xxx haproxy[23]: 10.nnn.nnn.nnn:42072 [04/Dec/2025:04:35:31.985] fe_no_sni~ openshift_default/<NOSRV> 0/-1/-1/-1/0 503 2655 - - SC-- 260/31/0/0/0 0/0 "POST /system/api/endpoint/v1 HTTP/1.1"
```

Both symptoms are misleading. The backend service is available, and SNI is present in the Client Hello but it fails to pass the packet to the the correct application workload.

Environment

OpenShift Container Platform
Red Hat OpenShift Service on AWS (ROSA)
- 4.16 +
Azure Red Hat OpenShift (ARO)
- 4.16 +

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2026 Red Hat

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)