Haproxy - stick on RDP-cookie - what happens without cookie

Help!
1

Hi!

I am having a strange problem…
I am using Haproxy as RDP-loadbalancer to stick on the cookie:

  stick-table type string len 4 size 20k expire 12h store conn_cur,conn_rate(5m) peers loadbalancer_replication
  stick on rdp_cookie(mstshash)

Now the strange part: My monitoring is connecting without cookie. I would expect, that as there is no new entry in the sticky-table, there is a fallback to the configured round-robin. But: The connections without cookie are always assigned to the same backend-server.
When I check the sticky-table, there is no entry for the connection.

→ How can the connection be sticky, if there is no entry in the sticky-table?

Thank you for your thoughts
Stril

2

Hi Stril,

How many test clients are you using? HAProxy will tend to stick to one server anyway until you use multiple test clients.

I’m not sure your config file is correct either, have you included the inspection delay?
I’ve attached a working one here:

option tcpka
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
tcp-request content reject if { req_ssl_hello_type 1 }
stick-table type string size 10240k expire 12h peers loadbalancer_replication
stick on rdp_cookie(mstshash) upper
timeout client 12h
timeout server 12h

Ref: https://www.loadbalancer.org/blog/load-balancing-windows-terminal-server-haproxy-and-rdp-cookies/

3

Hi!

Inspection delay is set and everything is working perfect as long, as the RDP cookie does provide the username, but otherwise, there is a stickyness without an entry in the sticky table.

IMHO, also multiple connections from ONE host should be balanced round robin, if there is no entry in the sticky table.

How does HAProxy maintain the stickyness?

4

In theory if you use:

balance leastconn

Then yes, new RDP connections from a different client IP should hit a different server.
But I think the same client IP will re-use the existing connection because option tcpka is being used to keep the connection alive.
I could be wrong though, I havent tested this in a while.
Have you got some more information about how you are testing it?