SSL handshake error

Help!
1

Hello!

Trying to set up a HAPROXY in cloud to forward requsts via IPSec tunnel to office network.

im getting this kind of error in logs:

Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: Health check for server qpol/qpol failed, reason: Layer6 timeout, check duration: 2001ms, status: 0/3 DOWN.
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: [WARNING] (63523) : Server qpol/qpol is DOWN. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: Health check for server qpol/qpol failed, reason: Layer6 timeout, check duration: 2001ms, status: 0/3 DOWN.
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: Server qpol/qpol is DOWN. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: [NOTICE] (63523) : haproxy version is 2.4.24-0ubuntu0.22.04.1
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: [NOTICE] (63523) : path to executable is /usr/sbin/haproxy
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: [ALERT] (63523) : backend ‘qpol’ has no server available!
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: Server qpol/qpol is DOWN. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: backend qpol has no server available!
Mar 21 18:46:00 nt-cloud-haproxy haproxy[63523]: backend qpol has no server available!

This happens when i use ssl directive in backend:

backend qpol
option log-health-checks
http-send-name-header Host
http-request add-header http X-Forwarded-Proto:\ https
server qpol 10.0.2.28:443 check ssl verify none inter 2000 rise 3 fall 3

When I remove ssl directiive it looks ok:

Mar 21 18:51:49 nt-cloud-haproxy haproxy[65632]: Health check for server qpol/qpol succeeded, reason: Layer4 check passed, check duration: 12ms, status: 3/3 UP.
Mar 21 18:51:50 nt-cloud-haproxy haproxy[799]: [WARNING] (799) : Former worker #1 (63523) exited with code 0 (Exit)

But when I connect throught my browser i get this:
[21/Mar/2024:18:52:51.513] https-web~ qpol/qpol 0/0/13/15/28 400 554 - - ---- 2/2/0/0/0 0/0 “GET / HTTP/1.1”

When I try curl it freeze:

curl -v -I --trace-time --connect-timeout 50 https://files.q-pol.ru:8080
18:55:00.726316 * Trying 192.168.166.140:8080…
18:55:00.739700 * Connected to files.q-pol.ru (192.168.166.140) port 8080 (#0)
18:55:00.743684 * ALPN, offering h2
18:55:00.744503 * ALPN, offering http/1.1
18:55:00.794517 * CAfile: /etc/ssl/certs/ca-certificates.crt
18:55:00.795482 * CApath: /etc/ssl/certs
18:55:00.796650 * TLSv1.0 (OUT), TLS header, Certificate Status (22):
18:55:00.797440 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
18:55:50.727746 * SSL connection timeout
18:55:50.728164 * Closing connection 0
curl: (28) SSL connection timeout

My full config below, maybe someone has an idea what is happeneing?

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 10s
        timeout client  10s
        timeout server  10s
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


frontend https-web
	bind *:80
	bind *:443 ssl crt /etc/ssl/qpol/qpol.pem
		
	redirect scheme https code 301 if !{ ssl_fc }

	mode  http

	default_backend qpol


backend qpol
	option log-health-checks
	http-send-name-header Host
	http-request add-header http X-Forwarded-Proto:\ https
	server qpol 10.0.2.28:443 check verify none inter 2000 rise 3 fall 3

PIng and Traceroute are ok.

2

Figured out it was IPsec tunnel issue.