SSL terminates randomly using nginx-ingress on GKE

[Friedrich Lindenberg]

Hi all, 

I'm trying to bind an nginx-ingress to a regional IP, and most of the time it works OK. Yet every 10 attempts or so the connection doesn't go through, and I get an aborted SSL connection like this: 

➜  ~ curl -vi https://bla.org/

*   Trying xx.xxx.xxx.xxx...

* TCP_NODELAY set

* Connected to bla.org (xx.xxx.xxx.xxx) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to bla.org:443

* stopped the pause stream!

* Closing connection 0

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to bla:443

In Chrome browser, this is shown as "ERR_SSL_VERSION_INTERFERENCE", and a reload of the page usually resolves it. Very sparsely, I've also seen the Google 404 page pop up. So I'm beginning to think that this isn't an nginx misconfiguration, but rather that the forwarding rule between the regional IP and my cluster randomly breaks down.

It may be worth mentioning that the cluster contains one node pool of preemptible machines with auto-scaling, so the set of nodes updates quite frequently (nginx-ingress-controller is NOT running on a preemptible node class). Is it possible that the GCE forwarding rule is updated too slowly and points to a machine that has already been deprovisioned?

Thanks for any pointers! 

- Friedrich