On 4/18/19 11:06 AM, Emeric Brun wrote: > Hi Marcin, > > On 4/12/19 6:10 PM, Marcin Deranek wrote: >> Hi Emeric, >> >> On 4/12/19 5:26 PM, Emeric Brun wrote: >> >>> Do you have ssl enabled on the server side? >> >> Yes, ssl is on frontend and backend with ssl checks enabled. >> >>> If it is the case could replace health check with a simple tcp check >>> (without ssl)? >> >> What I noticed before that if I (re)start HAProxy and reload immediately no >> stuck processes are present. If I wait before reloading stuck processes show >> up. >> After disabling checks (I still keep ssl enabled for normal traffic) reloads >> work just fine (tried many time). Do you know how to enable TCP healthchecks >> while keeping SSL for non-healthcheck requests ? > > I think you can do that this way: > > Remove the option httchk (or prefix it by "no": "no option httchk " if it is > configured into the defaults section > > and add the following 2 lines: > > option tcp-check > tcp-check connect > > This shouldn't perform the handshake but just validate that the port is open. > The regular traffic will continue to use the ssl > on server side. > > >>> Regarding the show info/lsoff it seems there is no more sessions on client >>> side but remaining ssl jobs (CurrSslConns) and I supsect the health checks >>> to miss a cleanup of their ssl sessions using the QAT. (this is just an >>> assumption) >> >> In general instance where I test QAT does not have any "real" client traffic >> except small amount of healtcheck requests per frontend which are internally >> handled by HAProxy itself. Still TLS handshake still needs to take place. >> There are many more backend healthchecks. Looks like your assumption was >> correct.. > > Good!, We continue to dig in that direction. > > An other interesting trace would be to perform a "show sess" command on a > stucked process through the master cli.
And also the "show fd" R, Emeric