Haproxy Remote Desktop services 2016 not balancing

Help!
1

Hi
I have 8 windows 2016 Remote Desktop servers and I’m using 1.8 haproxy to try and load balance using leastconn.

The first 24 connections got balanced nicely… but then most of the connections started to go to server4…

I commented out server4 from the config and did a reload…

The next set of connections started to balance on the other servers but then I noticed a lot of the connections started to hit server3…

Just wondering if anyone has come across this before

Cheers

2

Hi,
It would be helpful if you could share the following information:

  1. HAProxy logs for the duration when the requests start landing on a single server instead of being load balanced.
    [root@ha haproxy]# cat /var/log/haproxy/haproxy.log
  2. HAProxy stats and info for the duration when the requests start landing on a single server instead of being load balanced.
    [root@ha haproxy]# echo "show info" | socat unix-connect:/run/haproxy/admin.sock stdio
    [root@ha haproxy]# echo "show stat" | socat unix-connect:/run/haproxy/admin.sock stdio
    For above commands you would need to install socat utility and expose stats over socket, if not done already.
    To expose haproxy stats add following line to the global section of your configuration:
    stats socket /run/haproxy/admin.sock level admin
  3. The haproxy configuration file.
    [root@ha ~]# cat /etc/haproxy/haproxy.cfg

Thanks,
Shivharsh

3

With the below, more sessions were connecting to RDSH3 (I commented out RDSH4) and reloaded it.

show_stat

pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,check_status,check_code,check_duration,hrsp_1xx,hrsp_2xx,hrsp_3xx,hrsp_4xx,hrsp_5xx,hrsp_other,hanafail,req_rate,req_rate_max,req_tot,cli_abrt,srv_abrt,comp_in,comp_out,comp_byp,comp_rsp,lastsess,last_chk,last_agt,qtime,ctime,rtime,ttime,agent_status,agent_code,agent_duration,check_desc,agent_desc,check_rise,check_fall,check_health,agent_rise,agent_fall,agent_health,addr,cookie,mode,algo,conn_rate,conn_rate_max,conn_tot,intercepted,dcon,dses,

ft_rdp,FRONTEND,5,25,2000,12549,610227160,26344663458,0,0,0,OPEN,1,2,0,0,0,0,6,0,0,0,0,0,0,0,tcp,0,6,12549,0,0,
bk_rdp,RDSH1,0,0,1,2,659,36155611,114621275,0,0,652,0,0,UP,1,1,0,1,0,120191,0,1,3,1,659,2,0,2,L7OK,0,0,6,652,2691,(tcp-check),0,0,0,66930,Layer7 check passed,2,3,4,172.29.101.1:3389,tcp,
bk_rdp,RDSH2,0,0,0,7,1399,150398669,6880928592,0,0,1396,0,0,UP,1,1,0,0,0,120191,0,1,3,2,1382,2,0,2,L7OK,0,0,3,1396,44,(tcp-check),0,0,0,331399,Layer7 check passed,2,3,4,172.29.101.2:3389,tcp,
bk_rdp,RDHS3,0,0,1,13,338,83446582,17594671089,0,0,335,0,0,UP,1,1,0,0,0,120191,0,1,3,3,312,2,0,4,L7OK,0,0,2,335,10,(tcp-check),0,1,0,556863,Layer7 check passed,2,3,4,172.29.101.3:3389,tcp,
bk_rdp,RDSH5,0,0,0,3,1488,101349017,507625097,0,0,1482,0,0,UP,1,1,0,0,0,120191,0,1,3,4,1488,2,0,3,L7OK,0,0,6,1482,10,(tcp-check),0,1,0,84971,Layer7 check passed,2,3,4,172.29.101.5:3389,tcp,
bk_rdp,RDSH6,0,0,1,3,2202,119547500,528569090,0,0,2191,0,0,UP,1,1,0,0,0,120191,0,1,3,5,2201,2,0,3,L7OK,0,0,9,2191,24,(tcp-check),0,0,0,51419,Layer7 check passed,2,3,4,172.29.101.6:3389,tcp,
bk_rdp,RDSH7,0,0,1,2,2029,95971214,385162770,0,0,2020,0,0,UP,1,1,0,0,0,120191,0,1,3,6,2029,2,0,2,L7OK,0,0,6,2020,22,(tcp-check),0,1,0,39196,Layer7 check passed,2,3,4,172.29.101.7:3389,tcp,
bk_rdp,RDSH8,0,0,1,2,251,23358567,333085545,0,0,240,0,0,UP,1,1,0,0,0,120191,0,1,3,7,250,2,0,3,L7OK,0,0,10,240,2691,(tcp-check),0,1,0,188960,Layer7 check passed,2,3,4,172.29.101.8:3389,tcp,
bk_rdp,BACKEND,0,0,5,25,200,12549,610227160,26344663458,0,0,0,8316,0,0,UP,7,7,0,0,120191,0,1,3,0,8321,1,0,6,42,8316,0,0,0,0,10,0,1,0,247702,tcp,leastconn,
stats,FRONTEND,0,1,2000,12,64250,2548077,0,0,0,OPEN,1,4,0,0,0,0,1,0,114,0,0,0,0,0,4,114,0,0,0,0,http,0,1,12,114,0,0,
stats,BACKEND,0,0,0,0,200,0,64250,2548077,0,0,0,0,0,0,UP,0,0,0,0,120191,1,4,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30787,0,0,0,238,http,roundrobin,

show_info
Name: HAProxy
Version: 1.7.11-1ppa1~xenial
Release_date: 2018/04/30
Nbproc: 1
Process_num: 1
Pid: 1900
Uptime: 1d 9h22m34s
Uptime_sec: 120154
Memmax_MB: 0
PoolAlloc_MB: 0
PoolUsed_MB: 0
PoolFailed: 0
Ulimit-n: 4039
Maxsock: 4039
Maxconn: 2000
Hard_maxconn: 2000
CurrConns: 5
CumConns: 12556
CumReq: 12670
MaxSslConns: 0
CurrSslConns: 0
CumSslConns: 0
Maxpipes: 0
PipesUsed: 0
PipesFree: 0
ConnRate: 0
ConnRateLimit: 0
MaxConnRate: 6
SessRate: 0
SessRateLimit: 0
MaxSessRate: 6
SslRate: 0
SslRateLimit: 0
MaxSslRate: 0
SslFrontendKeyRate: 0
SslFrontendMaxKeyRate: 0
SslFrontendSessionReuse_pct: 0
SslBackendKeyRate: 0
SslBackendMaxKeyRate: 0
SslCacheLookups: 0
SslCacheMisses: 0
CompressBpsIn: 0
CompressBpsOut: 0
CompressBpsRateLim: 0
ZlibMemUsage: 0
MaxZlibMemUsage: 0
Tasks: 19
Run_queue: 1
Idle_pct: 100
node: PNT-AP62

haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend ft_rdp
mode tcp
bind *:3389
timeout client 1h
log global
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp

backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 20s
log global
option tcplog
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389
default-server inter 3s rise 2 fall 3
server RDSH1 172.29.101.1:3389 check port 3389
server RDSH2 172.29.101.2:3389 check port 3389
server RDHS3 172.29.101.3:3389 check port 3389
#server RDSH4 172.29.101.4:3389 check port 3389
server RDSH5 172.29.101.5:3389 check port 3389
server RDSH6 172.29.101.6:3389 check port 3389
server RDSH7 172.29.101.7:3389 check port 3389
server RDSH8 172.29.101.8:3389 check port 3389

listen stats
bind :9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy_stats

4

HAProxy 1.7 iso. 1.8 ?

5

How did you solve this?