Hi, this is sort-of speculative, but it would surprised me if the gist of it wasn't correct:
conntrackd synchs firewall state, but it doesn't synch tcp state, and it can't do anything to haproxy to make a haproxy instance think it already has an established connection. It's an interesting problem and maybe it can be done, but not with what we have right now, and this would also require changing or bypassing the tcp handling in the network stack of the OS. At least that's my expectation. It surprises me that the download stalls and your backup haproxy doesn't send a RST - regardless of *firewall* state, tcp should react with an RST to packets from a completely unknown tcp session - but maybe you've set it up in some way that just leads to the packets being dropped silently? (It works with normal / iptables based forwarding, like detailed in http://backreference.org/2013/04/03/firewall-ha-with-conntrackd-and-keepalived/ , because packets going through the forwarding never touch the actual tcp handling on the forwarder.) Best, Lukas
smime.p7s
Description: S/MIME Cryptographic Signature
