Hi Marcin, On 4/12/19 6:10 PM, Marcin Deranek wrote: > Hi Emeric, > > On 4/12/19 5:26 PM, Emeric Brun wrote: > >> Do you have ssl enabled on the server side? > > Yes, ssl is on frontend and backend with ssl checks enabled. > >> If it is the case could replace health check with a simple tcp check >> (without ssl)? > > What I noticed before that if I (re)start HAProxy and reload immediately no > stuck processes are present. If I wait before reloading stuck processes show > up. > After disabling checks (I still keep ssl enabled for normal traffic) reloads > work just fine (tried many time). Do you know how to enable TCP healthchecks > while keeping SSL for non-healthcheck requests ?
I think you can do that this way: Remove the option httchk (or prefix it by "no": "no option httchk " if it is configured into the defaults section and add the following 2 lines: option tcp-check tcp-check connect This shouldn't perform the handshake but just validate that the port is open. The regular traffic will continue to use the ssl on server side. >> Regarding the show info/lsoff it seems there is no more sessions on client >> side but remaining ssl jobs (CurrSslConns) and I supsect the health checks >> to miss a cleanup of their ssl sessions using the QAT. (this is just an >> assumption) > > In general instance where I test QAT does not have any "real" client traffic > except small amount of healtcheck requests per frontend which are internally > handled by HAProxy itself. Still TLS handshake still needs to take place. > There are many more backend healthchecks. Looks like your assumption was > correct.. Good!, We continue to dig in that direction. An other interesting trace would be to perform a "show sess" command on a stucked process through the master cli. R, Emeric
