Hi Antonio Trujillo Carmona. thanks
Antonio Trujillo Carmona have written on Thu, 11 May 2017 12:24:00 +0200: > El 11/05/17 a las 11:23, Aleksandar Lazic escribió: > > Hi Antonio Trujillo Carmona. > > > > Antonio Trujillo Carmona have written on Thu, 11 May 2017 10:22:59 > > +0200: > > > >> Why this configuration don't detect a server down? > > Please can you post the output of haproxy -vv > $ haproxy -vv > HA-Proxy version 1.5.18 2016/05/10 > Copyright 2000-2016 Willy Tarreau <[email protected]> > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 > OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 > USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = > 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.7 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.32 2012-11-30 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > > Please can you post some logs as you have debug activated. > # haproxy -d -f /etc/haproxy/haproxy.cfg > [WARNING] 130/120716 (27612) : parsing > [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored > because frontend 'RDP' has no backend capability > [WARNING] 130/120716 (27612) : config : backend 'bk_rdp' uses > tcp-check rules without 'option tcp-check', so the rules are ignored. How about to activate the 'option tcp-check' as mentioned in the Warning? In the config below is it's commented, any reason why? It's also active in the doc which you maybe know. https://www.haproxy.com/doc/aloha/7.0/deployment_guides/microsoft_remote_desktop_services.html Does this changes anything? Regards aleks > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result FAILED > Total: 3 (2 usable), will use epoll. > Using epoll() as the polling mechanism. > [WARNING] 130/120717 (27612) : Server CitrixSF-SSL/CitrixSF03 is DOWN, > reason: Layer4 connection problem, info: "Connection refused", check > duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, > 0 requeued, 0 remaining in queue. > [WARNING] 130/120718 (27612) : Server bk_rdp/gr43sterminal02 is DOWN, > reason: Socket error, check duration: 12ms. 1 active and 0 backup > servers left. 0 sessions active, 0 requeued, 0 remaining in queue. > [WARNING] 130/120719 (27612) : Server bk_rdp/gr43sterminal01 is DOWN, > reason: Layer4 timeout, check duration: 2001ms. 0 active and 0 backup > servers left. 0 sessions active, 0 requeued, 0 remaining in queue. > [ALERT] 130/120719 (27612) : backend 'bk_rdp' has no server available! > > Message from syslogd@localhost at May 11 12:07:19 ... > haproxy[27612]: backend bk_rdp has no server available! > > Message from syslogd@localhost at May 11 12:07:19 ... > haproxy[27612]: backend bk_rdp has no server available! > > > > but : > # nmap gr43sterminal02 -p3389 > > Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-11 12:12 CEST > Nmap scan report for gr43sterminal02 (10.104.23.141) > Host is up (0.00072s latency). > rDNS record for 10.104.23.141: > gr43sterminal02.hvn.sas.junta-andalucia.es PORT STATE SERVICE > 3389/tcp open ms-wbt-server > > This one is up and the other down > > if I comment > # option ssl-hello-chk > > both appear up > # haproxy -d -f /etc/haproxy/haproxy.cfg > [WARNING] 130/121803 (27722) : parsing > [/etc/haproxy/haproxy.cfg:165] : 'timeout server' will be ignored > because frontend 'RDP' has no backend capability > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result FAILED > Total: 3 (2 usable), will use epoll. > Using epoll() as the polling mechanism. > [WARNING] 130/121804 (27722) : Server CitrixSF-SSL/CitrixSF03 is DOWN, > reason: Layer4 connection problem, info: "Connection refused", check > duration: 3ms. 1 active and 0 backup servers left. 0 sessions active, > 0 requeued, 0 remaining in queue. > 00000000:gr43stemis01.clicls[ffffffff:0009] > 00000000:gr43stemis01.closed[ffffffff:0009] > 00000000:gr43stemis01.clicls[ffffffff:000a] > 00000000:gr43stemis01.closed[ffffffff:000a] > 00000000:gr43stemis01.clicls[ffffffff:000b] > 00000000:gr43stemis01.closed[ffffffff:000b] > 00000000:gr43stemis01.clicls[ffffffff:000c] > 00000000:gr43stemis01.closed[ffffffff:000c] > 00000000:gr43stemis01.clicls[ffffffff:000d] > 00000000:gr43stemis01.closed[ffffffff:000d] > 00000000:RDP.accept(0007)=000a from [10.104.24.53:60969] > > > only if I comment > # option ssl-hello-chk > # tcp-check connect port 3389 ssl > it seem work, but I'm afraid that it check server not service, so if > server is up but service RDP fail haproxy will not detect it. > > > > >> global > >> log 127.0.0.1 local0 debug > >> log 127.0.0.1 local1 notice > >> log 10.104.16.5 local7 debug > >> chroot /var/lib/haproxy > >> user haproxy > >> group haproxy > >> daemon > >> node GR43STEMIS01-BALANCEADOR-HA-SSL > >> > >> # Para sincronizar las tablas de sesión > >> peers pares > >> # disable > >> peer gr43stemis01 10.107.20.7:1024 > >> peer gr43stemis02 10.107.20.8:1024 > >> > >> defaults > >> log global > >> mode http > >> option dontlognull > >> option httpchk > >> retries 3 > >> option redispatch > >> maxconn 5000 > >> timeout connect 50s > >> timeout client 30min > >> timeout server 50s > >> .../... > >> frontend RDP > >> mode tcp > >> bind *:3389 > >> timeout client 1h > >> timeout server 1h > >> tcp-request inspect-delay 5s > >> tcp-request content accept if RDP_COOKIE > >> # use_backend bk_rdp > >> default_backend bk_rdp > >> > >> backend bk_rdp > >> mode tcp > >> balance leastconn > >> #balance rdp_coockie > >> timeout server 1h > >> timeout connect 4s > >> log global > >> stick-table type string len 32 size 10k expire 1h peers pares > >> stick on rdp_cookie(msthash) > >> > >> persist rdp-cookie > >> # option tcp-check > >> option ssl-hello-chk > >> # option tcpka > >> > >> tcp-check connect port 3389 ssl > >> > >> server gr43sterminal01 10.104.22.142:3389 weight 1 check > >> inter 2000 rise 2 fall 3 > >> server gr43sterminal02 10.104.23.141:3389 weight > >> 1 check inter 2000 rise 2 fall 3 > >> > >> > >> > >> Thank. > >> -- > >> > >> Antonio Trujillo Carmona
