On Fri, Oct 2, 2015 at 1:48 PM, Daren Sefcik <dsef...@hightechhigh.org> wrote:
> I Hope this is the right place to ask for help..if not please flame me and > send me on my way.... > > So I had haproxy 1.5 installed (as a front end for a cluster of squid > proxies) on a low end Dell server with pfsense(PFS) 2.1.5 and was > experiencing slow down with 1500+ connections so I built up a new PFS > 2.2.4 machine on a brand new Dell R630 with 64gb RAM, Dual CPU, bad ass > raid disks etc....loaded and configured haproxy with several squid backends > and some ICAP backends. Things work great until I hit about 1500 or more > connections and then everything just slows to a crawl. Restarting haproxy > helps momentarily but it will slow back down again very quickly. If I > offload clients to the point of only 300-400 connections it will become > responsive again. In the haproxy stats page it will show 97% idle or > similar and the output from top will show maybe 5% cpu for haproxy. If I > configure the browser client to use one of the squid backends directly it > works fast but as soon as I put the broswer proxy config back to use the > haproxy frontend IP it will slow down. > The problem seems consistent with your connection tracking tables filling up. You don't say if the 1500 concurrent connections creates a lot of new connections or if they are 1500 connections that last for a long time. If your connection lifetime is short then the connection tracking tables probably need to be tuned. I don't recall what the conntrack controls are for FreeBSD but it's probably something in the pfctl utility, right? -Bryan
