Sometimes haproxy returns RST to TLS Client Hello


We terminate SSL on our haproxy and most of time it works fine. At the peak hour, however, we see that the haproxy sometimes returns a reset packet (RST) to client’s TLS Client Hello when it’s supposed to return TLS Server Hello. Considering this happens only at the peak hour, I think it might be a performance issue. Thing is that the server’s CPU usage is not that high. The haproxy is configured with nbproc of 20 (the server has 28 cores.) and the CPU usage is less than 10% even at the peak. We also increased the tune.ssl.cachesize to 10000000 from the default value but it does not seem to mitigate the issue at all. Any idea or suggestion would be greatly appreciated.


FYI. The haproxy used to run on a physical machine and it has since migrated to a virtual machine (KVM). The number of cores is same as before, so is the haproxy version. We did not have this SSL issue before the migration.