Developer guide: Synthetic errors in VCL

If a fatal error occurs in your service while processing your VCL logic, Fastly will generate an error response with a 503 HTTP status, instead of using a response from an upstream server or cache, and unless intercepted by code running in vcl_error , this generated error may be served to the end user.

Error states can be triggered at any point in the VCL request lifecycle and will immediately terminate processing of the current subroutine and invoke vcl_error with a synthetic obj variable that contains information about the error. The value of obj.status is always 503 and obj.response is set to a descriptive name for the error. You can therefore intercept Fastly-generated errors by writing custom VCL in the vcl_error subroutine:

sub vcl_error { ... } Fastly VCL if ( obj.status = = 503 && obj.response = = "backend read error" ) { ... }

Possible errors

The following table itemizes the possible errors that may be generated by Fastly during VCL execution, their causes and possible troubleshooting actions.

HINT: obj.response is case sensitive and capitalization is somewhat inconsistent between different errors. Starting from HTTP/2 the HTTP response "reason" text ( obj.response ) is no longer sent along with the response, so if a Fastly generated error response is delivered to the end user unmodified, it is typically not possible to know what the specific error was.

IMPORTANT: This table describes errors generated during VCL processing, but Fastly may also generate error responses from our routing systems. Learn more.

Since VCL errors trigger vcl_error and run your VCL code, it is possible to intercept these and serve a custom error page instead of allowing the synthetic error to be seen by end users.

Memory overflows

During VCL execution, exceeding some limits will cause the VCL program to terminate immediately, without invoking vcl_error . In these cases a 503 error is always generated and emitted to the client, and cannot be modified by your service configuration. The most common types of overflows are:

Workspace exhaustion : VCL programs allocate memory greedily and free it when the request ends. Use workspace.bytes_free to understand how much workspace is available.

: VCL programs allocate memory greedily and free it when the request ends. Use to understand how much workspace is available. Header overflows: VCL programs may only define around 90 HTTP headers in total. The exact number available to your program depends on the number of headers used by Fastly during your request.

Troubleshooting options

This is a description of some of the most common and effective actions that can help resolve elevated rates of synthetic errors in your VCL service.

WARNING: Purging cache in response to unexplained elevated error rates may make things worse. Purges typically increase traffic to origin, which may exacerbate a problem rather than fixing it. Try to determine the cause of errors and be certain purging is the right solution.

Benchmark origin server response times

In situations where Fastly is emitting errors relating to backend connections, it's often useful to check backend response times independently. Many outside factors cause backends response times to vary. Run the following command to estimate response time for benchmarking purposes:

$ curl -s -w "%{time_total}

" -o /dev/null http://example.com/path/to/file

This can help you understand the typical performance characteristics of an origin server and decide on appropriate timeout settings - or reveal issues with an origin server's performance that you may need to debug outside of Fastly.

Increase origin timeouts

Timeouts apply to multiple stages of the request when Fastly makes requests to a backend, and these can be configured as properties of the backend in the API, UI or CLI. In the case of errors like backend read error , backend write error , connection timed out , or first byte timeout , first check the performance of the origin server. Our defaults are generous, and hitting these timeouts generally indicates a very poorly performing origin server. However, if you need to, adjust the timeouts in the backend configuration, notably the first_byte_timeout property (also available in the web interface).

Timeout type Description VCL variable Connect Maximum duration Fastly will wait for a connection to this backend to be established. If exceeded, the connection is aborted and a synthetic 503 response will be presented instead. bereq.connect_timeout First byte Maximum duration Fastly will wait for the server response to begin after a TCP connection is established and the request has been sent. If exceeded, the connection is aborted and a synthetic 503 response will be presented instead. bereq.first_byte_timeout Between bytes Maximum duration that Fastly will wait while receiving no data on a download from a backend. If exceeded, the response received so far will be considered complete and the fetch will end. bereq.between_bytes_timeout

Except for requests flagged for PASS, Fastly enforces a 60 second timeout on requests between Fastly nodes at a single POP, which cannot be changed. Therefore, if your request transits more than one Fastly node at a single POP (as a result of clustering), the maximum connection and first byte timeouts are effectively 60 seconds on any requests that may produce a cacheable response.

If you want a timeout higher than 60s and do not need the response to be cached by Fastly, flag the request as PASS in vcl_recv :

return (pass);

If you do want to use the cache, but must have a maximum timeout higher than 60s, it's possible to disable clustering, but this will result in a significant degradation in cache performance because the response will be cached separately on each Fastly server.

If there are any external interfaces in front of the origin server, such as a load balancer or firewall, these may also apply their own timeouts.

Enable shielding

Enabling shielding may help resolve some backend related connection problems:

Shortening the distance needed to establish a connection, which may help avoid connection timeouts.

Reducing TCP handshakes resulting from using multiple POPs. This allows the origin to avoid slowdowns and to process only requests on a few connections from the shield POP, and may resolve issues resulting from holding open too many connections.

Improving cache hit ratio and request collapsing efficiency, which may significantly reduce overall traffic to origin.

Conversely, some issues can be created by enabling shielding, especially if you operate geographically distributed origin servers, so this option should be targeted to appropriate situations.

Review backend configuration

If your Fastly service is failing to connect to your origin server, some properties of the backend configuration are worth checking:

Port : Is your origin server listening on the port Fastly is configured to connect to?

: Is your origin server listening on the port Fastly is configured to connect to? Override host: Have you set the origin server's hostname into the "override host" property of the backend?

Ensure Fastly can reach the origin server

Fastly may not be able to connect to your origin server, even if it works from your local machine. Check that you do not have firewall rules that would prevent connections from Fastly's public IP ranges.

Check health check settings

Health checks will mark a backend as 'sick' if the conditions of the health check are not satisfied, which may happen even if the origin server appears to you to be working.

Check that the path configured in the health check exists on your origin server

Check that the health check traffic is not being blocked by origin firewall rules

Check that the health check conditions are reasonable. For example, if the health check's threshold is larger than its window , the check will never succeed.

Increase maximum concurrent origin connections

Fastly enforces a limit on the number of concurrent connections from a single Fastly edge node to a single origin host. In general, if you encounter this limit, first consider whether you could take action to reduce the number of connections required:

Consider making your responses more cacheable, allowing Fastly to respond to more requests without forwarding them to an origin server.

Improve (i.e., reduce) origin server response times, so that backend connections are used more efficiently.

Enable shielding, to reduce the overall number of requests that need to be forwarded to origin (thanks to improved cache hit ratio and more efficient request collapsing)

These actions should especially be considered if you encounter problems with less than 10,000 non-hit requests per second.

If you have determined that your origin is not the issue, increase the maximum connections limit to your origin or reach out to Fastly support for further help with this issue.

For missing or invalid certificates, download and replace the missing or incorrect certificate. If both the intermediate and root certificates are correct, insert a valid Server Name Indication (SNI) hostname in the origin TLS options of your Fastly service.