Common 503 errors on Fastly

Varnish, the software that powers the Fastly CDN, will sometimes return standardized 503 responses due to various issues that can occur when attempting to fetch data from your origin servers. The generic status text associated with a 503 error is "Service Unavailable." It can mean a wide variety of things. The most common reasons this generic text appears include:

  1. The origin server generated a 503 error and Fastly passed it through as is.
  2. The origin returned a 503 error without a response header, so Fastly used the default response.
  3. The status line of the HTTP response from the origin was not parsable.
  4. VCL code was run that used the "error" statement without an appropriate response status (e.g., error 503 instead of error 503 "broken thing").

The following list provides the most common non-generic, standardized 503 responses and basic explanations for each.


If you are seeing 503 errors, do not purge all cached content. Purge all overrides stale-if-error and increases the requests to your origin server, which could result in additional 503 errors.

Timeout errors

The following describes typical timeout errors you may encounter.

Error 503 backend read error

This error typically appears if a timeout error occurs when Fastly cache servers attempt to fetch content from your origins. It can also be due to a variety of transient network issues that might cause a read to fail (e.g., router failovers, packet loss) or an origin overload.

Benchmarking your backend response times. Many outside factors cause backends response times to vary. Repeated, consistent backend read errors frequently can be prevented by changing your backend timeout settings in the Fastly web interface. Start by running the following command to estimate response time for benchmarking purposes:

$ curl -s -w "%{time_total}\n" -o /dev/null

Increasing your backend timeout settings. After benchmarking some of the slower paths in your application, you should have an idea of your ideal backend response time. Adjust the backend timeout values on the Edit this host page in the Advanced options area. Also, if there is an external interface in front of the origin (such as a load balancer or firewall), review the timeouts for these interfaces.

Error 503 connection timed out

This error occurs if the request times out while waiting for Fastly to establish a TCP connection to your origin or waiting for your origin to respond to the request. Similar to backend read errors, connection timeouts can be caused by transient network issues, long trips to origin, and origin latency. Two common ways to alleviate these timeout errors include:

  • Increasing the connection timeout values set for the Fastly Host.
  • Setting up an origin shield. Setting up an origin shield provides two advantages:
    • Shortening the distance needed to establish a connection.
    • Reducing TCP handshakes resulting from using multiple POPs. This allows the origin to avoid slowdowns and to process only requests on a few connections from the shield.

Fastly enforces a 60 second timeout between nodes unless you're passing requests in vcl_recv.

Error 503 backend write error

This error is similar to the backend read error but occurs when Fastly sends information in the form of a POST request to the backend. This error can be resolved the same way as the backend read error.

Error 503 client read error

This error generally occurs because of a network issue between the client and Fastly. It can also occur when a user abandons the loading of a page (e.g., a page is loading too slowly and the user clicks stop in the browser). It is similar to the backend read error but occurs when reading information from a client. If you get this error, contact Fastly support for help identifying the network issue.

Error 503 backend fetch failed

This error occurs when the connection closes before Fastly cache servers are done reading the response. This error can occur when there is a missing or invalid Content-Length header on the response, although there may be other causes. To resolve this, verify that your origin includes either a Content-Length or a Transfer-Encoding: chunked header along with the response. If neither header is present, first ensure that one of them is added. If one of the headers is present, verify that the whole resource can be received from the origin directly. If either header is present and the whole resource can be received from the origin, contact Fastly support for more assistance.

Error 503 first byte timeout

This error occurs when Fastly establishes a connection to your origin, but the origin doesn't start sending the response within the time you've configured for your first byte timeout. To resolve this, extend your first byte timeout for your origin.

By default, the first byte timeout is set to 15 seconds. You can extend the maximum timeout possible to 600s. However, be aware of the following:

  • If your origin is configured with a shield, the timeout maximum should be reduced to 60s.

  • Clustering limits the maximum timeout to 60s. If an object is cacheable, then to increase the maximum timeout of 60s you must disable clustering by adding the Fastly-No-Shield header in vcl_recv. If you decide to add the Fastly-No-Shield header, make sure your condition precisely targets the requirements that take more than 60 seconds as adding it will affect your cache hit ratio.

Origin and service configuration errors

The following describes typical origin and Fastly service configuration errors you may encounter.

503 Response object too large

If Fastly determines the object being fetched exceeds the resource size limit of your Fastly service, we will generate a 503 Response object too large response to the client. You can use the Segmented Caching feature to eliminate these errors.

Error 503 connection refused

This error occurs when Fastly attempts to make a connection to your origin over a specific port and the server refuses the connection. It typically appears when the wrong port is specified for the Host in the Fastly web interface. To resolve this error, you may need to adjust your port number to ensure you're using the port needed to connect to your origin. If adjusting your port number doesn't work, you may also need review your origin configurations to ensure you're allowing connections from Fastly specific IPs.

Error 503 illegal Vary header from backend

This error occurs when a backend returns a malformed Vary header with its response. A well-formed Vary header tells Fastly to serve a different version of an object based on the value of the request header included within it.

Error 503 network unreachable

This error appears when Fastly can't find a route to the given IP range. This generally occurs because of misconfigured or non-operational routers. To resolve this error, check your routers to ensure they are operational or configured correctly.

Origin health errors

The following describes typical origin health errors you may encounter.

Error 503 backend is unhealthy

This error appears when custom health checks report a backend as down. It typically occurs when a Fastly edge server receives a client request and must make a request to your origin, but because the backend is considered unhealthy, Fastly doesn't try to send the request at all. Some of the reasons this error may occur are:

  • the origin took too long to respond to the request
  • there are transient network issues and the health check couldn't get to the origin
  • the health check was misconfigured, or the resource the health check is checking against was removed or altered in some way

To resolve this error, check to make sure your origin is configured correctly and the object the health check is requesting exists at the specified location.

Error 503 no stale object available

This error occurs when you configure Fastly to serve stale objects in the event of a backend failure but the stale object has expired and your backend is still failing for some reason (thus, no stale object is available). To resolve this error, you will need either to fix your origin or check your network.

Connection limit errors

The following describes typical connection limit errors you may encounter.

Error 503 backend.max_conn reached

This error occurs when Varnish makes a request to a backend in your Fastly service that has reached its defined maximum number of connections. By default, Fastly limits you to 200 origin connections from a single edge node to protect the origins from overload. For the majority of sites, this should be enough. If you get this error message with less than 10,000 non-hit requests per second, make sure your origin is responding normally (e.g., there are no origin slow downs). If you just increase the number of maximum connections, you may be exacerbating the problem. If you have determined that your origin is not the issue, increase the maximum connections limit to your origin or reach out to Fastly support for further help with this issue. This error may also appear as "Error 503 maximum threads for service reached."

Error 503 maximum threads for service reached

This error occurs when Varnish detects that a service has exceeded a safety limit on the number of concurrent requests. Typically this indicates that a service is experiencing an unusually high load, that an origin is slow, or that features like request collapsing are being intentionally avoided.

Director errors

The following describes typical Director errors you may encounter.

Error 503 no healthy backends

This error occurs when a Director used for balancing requests among a group of backends (only available via the Fastly API) can't cache the specified content because there are no healthy backends available in its group.

Error 503 all backends failed or unhealthy

This error occurs when a Director used for balancing requests among a group of backends (only available via the Fastly API) fails because all the backends are unhealthy or multiple backends from which the Director tried to fetch information failed with the same error.

Error 503 quorum weight not reached

This error occurs when a Director used for balancing requests among a group of backends (only available via the Fastly API) can't serve traffic based on its configuration because it does not have enough available backends in its group.

To resolve any of these errors, you should either check for and resolve any issues with your origin or make sure the quorum setting is correct. Also, make sure you are setting the quorum setting correctly. For example, in a five backend director, 85% of the quorum will mark the director unhealthy if a single backend is unhealthy.

TLS errors

The following describes typical TLS errors you may encounter. You also can find information about other common TLS errors at your origin in the TLS origin configuration messages guide.

Error 503 SSL handshake error

This error occurs when TLS negotiation between Fastly and your origin fails. To fix this error, review and correct your host's TLS configurations.

Error 503 unable to get local issuer certificate

This error occurs when a certificate in the certificate chain is missing or invalid. To better determine which of these issues is the cause of the error, we suggest running an SSL test on your origin to highlight any issues with the certificate installed there. There are two common ways you can resolve this error:

  • For missing or invalid certificates, download and replace the missing or incorrect certificate.
  • If both the intermediate and root certificates are correct, insert a valid Server Name Indication (SNI) hostname in the origin TLS options of your Fastly service.

Error 503 hostname doesn't match against certificate

This error occurs when the certificate hostname specified in your service's origin TLS settings does not match either the Common Name (CN) or available Subject Alternate Names (SANs). To resolve this error, enter a certificate hostname value that matches the CN or SAN entries on your origin's certificate.

Error 503:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert

This error occurs when Server Name Indication (SNI) is required in the TLS handshake to origin, but the SNI hostname field is either blank or incorrect. To correct this error, enter a hostname value in the SNI hostname field. Often this will match the value specified in the certificate hostname field.

Error 503 error:1408F10B:SSL routines:ssl3_get_record:wrong version number

This error occurs when Fastly has a connection issue reaching your origin, usually due to a mismatch between Fastly's TLS settings and the origin's TLS settings. To resolve this error, review and correct your host's TLS configurations if discrepancies exist between your origin and Fastly. Ensure the Server Name Indication (SNI) value matches the domain used on the certificate where connection from Fastly is expected.

You can verify that the domain used on the origin certificate matches the SNI value by running the following command. Replace SSL_SNI_HOSTNAME with your SNI value.

openssl s_client -showcerts -connect 2a04:4e42:600::313:443 < /dev/null -servername SSL_SNI_HOSTNAME | openssl x509 -text`

If successful, this will return details about your certificate.

Error 503 certificate has expired

This error occurs when a certificate installed at the origin expires. To resolve this, renew your certificate or download a new one.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support.