Problem: I have two HA Proxy servers. One of them works fine with TCP pass-through traffic but the other will randomly fail ~1% of connections. The configuration is identical on both servers.
I would like to know if there is some setting I am missing that is causing the problem. Could it be the different CentOS versions?
The failure causes a .NET application to throw the following exception: “System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The message or signature supplied for verification has been altered”
HA Proxy is set up to pass through the TCP requests to a series of appliances. The requests use TLS. The back-end round robins between them however even with just a single appliance it has the failures.
Working version:
CentOS Linux release 7.6.1810 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64
Error version:
CentOS Linux release 7.7.1908 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64
Thanks.
Share the output of haproxy -vv, uname -a, the full configuration and the logs of the failing requests.
“haproxy -vv” is not recognized as a command because I am using rh-haproxy18-haproxy-1.8.17-1.el7.x86_64. I’m not sure if there’s a different command to be used for the rhel version.
uname -a: Linux boxname 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Full configuration:
global
log 127.0.0.1 local2
external-check
pidfile /var/run/haproxy.pid
maxconn 32000
user haproxy
group haproxy
daemon
debug
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 32000
listen stats
bind *:8080
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
frontend localappliance
bind *:9100
option tcplog
mode tcp
default_backend appliance
backend appliance
mode tcp
balance roundrobin
option log-health-checks
option external-check
default-server inter 60s
external-check command /var/lib/haproxy/AHealthCheckScript.py
server appliance1 someIp1:SomePort1 check
server appliance2 someIp2:SomePort2 check
Logs of failing request:
For .NET it’s always “System.Security.Authentication.AuthenticationException”
On the HA Proxy side the logs look correct from what I can tell:
Oct 27 15:16:59 localhost haproxy[id]: someIp:SomePort [27/Oct/2019:15:16:59.498] localappliance appliance/appliance2 1/0/15 0 – 1/1/0/0/0 0/0
Thanks for your help.