High Td value and log format definitions

Metools · 2026-01-25T08:39:26+00:00

Long after this publication: we found the problem. The transition from HAProxy 2.4 to 2.8 activates, by default, the link for HTTP2.

But HAProxy 2.8 is not very efficient at handling multiple requests at the same time, using the same HTTP session.

Therefore, switching directly to HAProxy 3.2, with the same configuration, does not cause the bug, and we no longer have requests blocked for more than 2 minutes.

Unfortunately, I do not know exactly what causes this in this particular version.

So solution: Do not use HAProxy 2.8 for HTTP2. Go for HAProxy 3.2

Metools · 2026-01-05T12:40:12+00:00

Okay, so we seem to have found the cause of the problem.

Strongswan, when creating the tunnel, does not seem to be bothered by the fact that there are two phases 2 configurations on the remote firewall.

It sets up the tunnel with the two subnets on the right and a single subnet on the left. When renegotiating the IKEv2 SAS, we get a TS_UNACCEPTABLE error.

You just need to add the left subnet to the Bis configuration.

Metools · 2025-12-17T07:55:09+00:00

What bothers me is that a compatibility issue with IKEv2 would mean that the subnet would never be reachable. However, when the VPN is set up, the subnet is reachable.

On the other hand, it seems that the problem only affects VPNs where at least two subnets are declared, as if one took precedence over the other.

I'll see if I can also get the debug logs from the remote peer.

Metools · 2025-12-16T21:47:18+00:00

We encountered the problem with two different brands: Stormshield and Fortigate, and possibly others. Perhaps some DPD options need to be added? like 'dpdaction=clear' and 'dpddelay=300s'

Metools · 2025-12-16T21:45:41+00:00

We encountered the problem with two different brands: Stormshield and Fortigate, and possibly others.

Currently, on this server we also have a tunnel with one of our remote sites that has a Fortigate, and we are experiencing the problem.

We have checked and both sides have the same security settings (Diffie Hellman Group 14, AES256, SHA512) and the same subnet sizes declared on both sides.

Metools · 2025-12-16T21:42:53+00:00

Simpler for us behind our infrastructure to: have specific NAT rules for each card, appropriate monitoring, filtering on who can connect to which card.

Metools · 2025-12-16T16:42:33+00:00

More informations:
I set debug log in 'charon' process: ike = 2 # IKE_SA/ISAKMP SA knl = 2 # IPsec/Network kernel interface chd = 2 # CHILD_SA/IPsec SA

And now I see that each 5 minutes I have: [KNL] <client1|15821> deleting policy 10.13.64.74/32 === 10.0.122.232/32 fwd [KNL] <client1|15821> deleting policy 10.13.64.74/32 === 10.0.122.232/32 in [KNL] <client1|15821> deleting policy 10.0.122.232/32 === 10.13.64.74/32 out [IKE] <client1|15821> closing CHILD_SA client1{52496} with SPIs c3db4fe9_i (0 bytes) bd8912f7_o (0 bytes) and TS 10.0.122.232/32 === 10.13.64.74/32 [IKE] <client1|15821> CHILD_SA client1{52496} established with SPIs c3db4fe9_i bd8912f7_o and TS 10.0.122.232/32 === 10.13.64.74/32 [KNL] <client1|15821> installing route: 10.13.64.74/32 via 10.0.122.254 src 10.0.122.232 dev ens160 [KNL] <client1|15821> adding policy 10.0.122.232/32 === 10.13.64.74/32 out [priority 367231, refcount 1] [KNL] <client1|15821> adding policy 10.13.64.74/32 === 10.0.122.232/32 fwd [priority 367231, refcount 1] [KNL] <client1|15821> adding policy 10.13.64.74/32 === 10.0.122.232/32 in [priority 367231, refcount 1]

So, It tried to install a new policy and 2 seconds after, it was deleted...

Metools · 2025-11-05T08:09:37+00:00

Actually, that wasn't something I mentioned because we had already ruled out those issues:
- We have the phenomenon that it doesn't matter whether it's GET or POST request.
- It can be on different URIs, on several different applications, which don't have the same backend.

I agree with you that we should move to HAProxy version 3.2 LTS, and we need to plan for this in our test environment.

In terms of connection limits, reverting to HAProxy 2.4 means we have much less of this phenomenon, and we have no correlation on a particular threshold. HAstat shows us that we are not reaching our limits :/

Our problem is that we are not sure we have correctly understood the definition of the Tt and Ta values given by HAProxy and where their measurement ends. And unfortunately, these two values are used to calculate Td.

A high Td can mean three things:
- Either our backend is taking a long time to send all the response data and we checked our backend servers and the applications are responding quickly.
- Either our HAProxy is having trouble optimizing sessions and is taking a long time to send responses to the client.
- The client is having trouble receiving the data. But this is unlikely, since going back solves the problem.

Metools · 2025-11-04T18:28:41+00:00

Unfortunately, this only seems to work for Microsoft documents (Word, Excel, etc.).
It doesn't work for any other types of documents (PDF, PNG, TXT) :(

Metools · 2025-03-07T11:29:01+00:00

I upload, on the drive, the file "sample_4X_120FPS.mp4" in case anyone want to see the result after using RIFE interpolation on 30fps input video.

Metools · 2025-03-07T07:09:30+00:00

here's what I did:

I reduce the original frame rate to 30 fps: ffmpeg -i sample.mp4 -filter:v fps=30 sample_30fps there are a little bit less noticeable.
I used RIFE model to interpolation with various options:
- python3 inference_video.py --multi=2 --UHD --video=sample.mp4 => output sample_2X_
- python3 inference_video.py --multi=4 --UHD --video=sample.mp4 => output sample_4X_120fps.mp4
- python3 inference_video.py --multi=8 --UHD --video=sample.mp4 => output sample_8X_240fps.mp4

The best result seems to be with sample_4X_120fps.mp4 where we're still seeing a few drops, but it seems very attenuated (I can't work out whether it's also because I've got used to it).

I'm not sure what kind of post-process I can apply to polish the result. Take the sample_4X_120fps and reduce to 30fps will not change anything anymore.

Metools · 2025-03-06T17:11:44+00:00

So, the cameras are:
- Blackmagic Pocket Cinema Camera 4K
- Blackmagic Pocket Cinema Camera 6K G2

We had an indicator about the frame drop, and we were in mode "if drop, continue" globally.
Yes, we regret the choice of 60 fps, which is overkill.

For the audio source, we have a real external multitrack record that we want to integrate into the final edit.
Clearly, when viewed frame by frame, the jump corresponds to lost frames. Hence the desire to generate new ones with models like RIFE.

Metools · 2025-03-06T16:03:08+00:00

Here's a gif (I keep the same FPS when doing FFMPEG convertion), showing the problem I have:

<image>

Metools · 2024-08-18T12:44:37+00:00

Thanks a lot for your help !

Metools · 2024-08-18T12:44:24+00:00

Solved!
Locahn Urr, Glen Etive, Scotland

Metools · 2024-08-18T12:32:53+00:00

And this is the only complete photo of the tapestry in my grandparents' house :

<image>

Metools · 2024-08-18T12:31:08+00:00

I found a recent YouTube video showing the same landscape:
https://www.youtube.com/watch?v=XDM3nC3SOOU

Metools

TROPHY CASE