HAProxy community

Random TCP Connection Failures

Problem: I have two HA Proxy servers. One of them works fine with TCP pass-through traffic but the other will randomly fail ~1% of connections. The configuration is identical on both servers.

I would like to know if there is some setting I am missing that is causing the problem. Could it be the different CentOS versions?

The failure causes a .NET application to throw the following exception: “System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The message or signature supplied for verification has been altered”

HA Proxy is set up to pass through the TCP requests to a series of appliances. The requests use TLS. The back-end round robins between them however even with just a single appliance it has the failures.

Working version:
CentOS Linux release 7.6.1810 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64

Error version:
CentOS Linux release 7.7.1908 (Core)
rh-haproxy18-haproxy-1.8.17-1.el7.x86_64

Thanks.

Share the output of haproxy -vv, uname -a, the full configuration and the logs of the failing requests.

“haproxy -vv” is not recognized as a command because I am using rh-haproxy18-haproxy-1.8.17-1.el7.x86_64. I’m not sure if there’s a different command to be used for the rhel version.

uname -a: Linux boxname 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Full configuration:

global
log 127.0.0.1 local2

external-check
pidfile /var/run/haproxy.pid
maxconn 32000
user haproxy
group haproxy
daemon
debug

stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 32000

listen stats
bind *:8080
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /

frontend localappliance
bind *:9100
option tcplog
mode tcp
default_backend appliance

backend appliance
mode tcp
balance roundrobin
option log-health-checks
option external-check
default-server inter 60s
external-check command /var/lib/haproxy/AHealthCheckScript.py
server appliance1 someIp1:SomePort1 check
server appliance2 someIp2:SomePort2 check

Logs of failing request:
For .NET it’s always “System.Security.Authentication.AuthenticationException”

On the HA Proxy side the logs look correct from what I can tell:

Oct 27 15:16:59 localhost haproxy[id]: someIp:SomePort [27/Oct/2019:15:16:59.498] localappliance appliance/appliance2 1/0/15 0 – 1/1/0/0/0 0/0

Thanks for your help.