Resolve connection timeout issues for server-first protocol applications such as MySQL and DNS in an ASM mesh - Alibaba Cloud Service Mesh

When you run applications that use server-first protocols, such as MySQL, in Alibaba Cloud Service Mesh (ASM), the sidecar proxy's protocol detection can cause connection timeouts. To resolve this issue, you can explicitly declare the TCP protocol to bypass detection. Depending on your service deployment scenario, you can modify the port name, configure a ServiceEntry, or disable mutual Transport Layer Security (mTLS).

How timeouts occur

Server-first protocols, such as SMTP, MySQL, and DNS, require the server to send the first data packet after a TCP connection is established.

The ASM sidecar proxy has protocol auto-detection enabled by default. This creates a conflict with the connection process of server-first protocols:

Server side: The server's sidecar proxy intercepts the first packet from the client to detect the protocol. The proxy does not forward the connection to the server application until the detection is complete.
Client side: After the TCP handshake, the client waits for the server to send the first data packet. The client does not send any application data.

The sidecar proxy waits for the client to send data to detect the protocol. The client waits for data from the server, which is blocked by the sidecar proxy. This deadlock causes the client connection to time out.

Scenario 1: Both client and server are in the mesh

The server does not use a standard port

Method 1: You can use a standard port for the server. ASM handles these ports specially, so the sidecar proxy does not block the connection. The following table lists standard ports for common server-first protocol applications.
Protocol
Standard port
MySQL
3306
SMTP
25
DNS
53
MongoDB
27017
Method 2: You can modify the server's YAML configuration. Add the tcp- prefix to ports.name. The following YAML example is for a MySQL service that runs on the non-standard port 3307.
```
apiVersion: v1
kind: Service
metadata:
  name: my-mysql-svc
spec:
  ports:
  - name: tcp-mysql-port
    port: 3307
    targetPort: 3307
  selector:
    app: my-mysql-server
```

The server does not use a TLS connection

You can enable a TLS connection for the server. The TLS handshake requires the client to send a ClientHello message first. This satisfies the protocol detection requirement of the sidecar proxy, so the proxy does not block the connection.

Scenario 2: The client is in the mesh and the server is outside the mesh

You can enable the DNS proxy feature in ASM and then restart all client pods that need to access the external service. This action applies the proxy configuration.
You can create a ServiceEntry resource for the external service. In the port definition, explicitly declare the protocol as TCP.
This configuration instructs the sidecar proxy to treat traffic to this external service as plain TCP traffic. This avoids protocol detection.
Example: Create a ServiceEntry for an external RDS for MySQL instance
The domain name of the target service is rm-xxxx.mysql.rds.aliyuncs.com and the port is 3306.
```
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: external-mysql-rds
spec:
  # 1. Enter the domain name of the external service.
  hosts:
  - rm-xxxx.mysql.rds.aliyuncs.com
  location: MESH_EXTERNAL
  ports:
  # 2. Declare the port and specify the protocol as TCP.
  - name: tcp-mysql
    number: 3306
    protocol: TCP # Key: Explicitly declare the protocol as TCP.
  # 3. Use DNS for service discovery.
  resolution: DNS
```
After you create this ServiceEntry resource, the client can access the external database.

Scenario 3: The client is outside the mesh and the in-mesh server does not use a TLS connection

You can disable mTLS for the port on the server workload. For more information, see PeerAuthentication.

Note

Exposing a server directly without a TLS connection can create security risks. We recommend that you enable a TLS connection for the server.

Protocol	Standard port
MySQL	3306
SMTP	25
DNS	53
MongoDB	27017