I'm setting up load-balanced service requiring stunnel with SSL on its front end. There are two hosts behind load balancer running stunnel . Service behind stunnel does not speak SSL. Every few minutes load balancer checks if those stunnels are still alive by opening tcp connection to stunnel listening port. Now problem is that stunnel closes those test connections with RST and load balancer takes it as that host is dead. This is without "client = yes" option because service does not speak SSL
load-balancer -> stunnel-host TCP D=1234 S=33007 Syn stunnel-host -> load-balancer TCP D=33007 S=1234 Syn Ack load-balancer -> stunnel-host TCP D=1234 S=33007 Ack load-balancer -> stunnel-host TCP D=1234 S=33007 Fin Ack stunnel-host -> load-balancer TCP D=33007 S=1234 Ack stunnel-host -> load-balancer TCP D=33007 S=1234 Rst
On the other hand with client=yes everything works fine
load-balancer -> stunnel-host TCP D=123 S=33010 Syn stunnel-host -> load-balancer TCP D=33010 S=123 Syn Ack load-balancer -> stunnel-host TCP D=123 S=33010 Ack load-balancer -> stunnel-host TCP D=123 S=33010 Fin Ack stunnel-host -> load-balancer TCP D=33010 S=123 Fin Ack load-balancer -> stunnel-host TCP D=123 S=33010 Ack
Is there any way to make stunnel without "client = yes" close connection "normal way" with FIN instead of RST ?
stunnel is last version, load balancer is some older F5 BigIP
thanks sergei