I would say that RST are just good. upon RST outgoing port is not put to TIME WAIT state
https://stackoverflow.com/questions/38579973/why-does-the-rst-packet-not-need-the-time-wait-state On Wed, Sep 10, 2025, 07:35 Dragos Pacher <[email protected]> wrote: > Hi, > > I created a backend in a legacy 2.8.15(running on public IP) to send > traffic to another 2 public IPs haproxies running 3.0.11: > > # old LB 2.8.15 snippet > defaults > log global > mode http > option dontlognull > option http-buffer-request > timeout connect 30s > timeout client 60s > timeout server 60s > timeout http-request 30s > timeout http-keep-alive 10s > timeout check 10s > ... > redirect scheme https if !{ ssl_fc } > ... > backend proxy1 > balance roundrobin > option tcp-check > option prefer-last-server > no option httpclose > server new_haproxy1 ip1:443 check ssl verify none > server new_haproxy2 ip2:443 check ssl verify none > > Basically I am throwing traffic from the old load balancer to another pair > of new LBs over public IPs. I copied the SSL certificates to all LBs. > Only TLS encrypted traffic flowing between the old and new LBs. Not ideal > but a temporary solution until we can move the legacy app to the new LBs. > > But on the 3.0.11 sides I see a lot of messages like these: I guess they > are generated by receiving RST packets instead of FIN ones: > Sep 10 04:39:18 haproxy[210784]: ip-here:26762 [10/Sep/2025:04:39:18.001] > https-in/9: ECONNRESET returned by OS > > When I look at legacy 2.8.15 with tcpdump I see that he's the one that > sends the RST packets spam: > (# tcpdump -i any -n host old-lb-public-ip and port 443) and I see the > following - hope I extracted correctly: > Normal 3-way handshake: > 05:00:06.872569 Out IP old-lb.10934 > new-lb1.443: Flags [S] (SYN) > 05:00:06.872814 In IP new-lb1.443 > old-lb.10934: Flags [S.] (SYN-ACK) > Data exchange: > 05:00:06.872999 Out IP old-lb.10934 > new-lb1.443: Flags [P.], seq 1:518, > length 517 > 05:00:06.875709 In IP new-lb1.443 > old-lb.10934: Flags [P.], seq 1:3150, > length 3149 > 05:00:06.875737 Out IP old-lb.10934 > new-lb1.443: Flags [.], ack 3150 > (ACK) > Final data and RST: > 05:00:06.877244 Out IP old-lb.10934 > new-lb1.443: Flags [P.], seq > 518:582, length 64 > 05:00:06.877346 Out IP old-lb.10934 > new-lb1.443: Flags [R.], seq 582 > (RST) > > I attached a flow to better see the behavior. > Can I get rid of these log RST packets spam? > > Thanks, > Dragos > >
