Sometimes haproxy returns RST to TLS Client Hello

yosnoop · April 9, 2022, 12:00pm

Hello,

We terminate SSL on our haproxy and most of time it works fine. At the peak hour, however, we see that the haproxy sometimes returns a reset packet (RST) to client’s TLS Client Hello when it’s supposed to return TLS Server Hello. Considering this happens only at the peak hour, I think it might be a performance issue. Thing is that the server’s CPU usage is not that high. The haproxy is configured with nbproc of 20 (the server has 28 cores.) and the CPU usage is less than 10% even at the peak. We also increased the tune.ssl.cachesize to 10000000 from the default value but it does not seem to mitigate the issue at all. Any idea or suggestion would be greatly appreciated.

Regards,
Ty

yosnoop · April 11, 2022, 10:06am

FYI. The haproxy used to run on a physical machine and it has since migrated to a virtual machine (KVM). The number of cores is same as before, so is the haproxy version. We did not have this SSL issue before the migration.

Topic		Replies	Views
Debug TLS session resumption & high CPU usage Help!	1	615	November 19, 2020
SSL Speed Problems? Help!	1	712	April 28, 2018
Haproxy repetitively sending reset packets Help!	2	2716	February 7, 2018
"SSL handshake failures" on big amount of requests Help!	3	8231	June 1, 2017
HAProxy high connection resets using proxy protocol Help!	1	1051	September 11, 2017

Sometimes haproxy returns RST to TLS Client Hello

Related Topics