On Wed, Dec 9, 2015 at 12:13 PM, Eugene Istomin <E.Istomin at edss.ee> wrote: > Hello, > we have a problems with TLS offload using HaProxy: > > ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s) > ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s) > ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 440 byte(s) > ocserv[64521]: worker[vpn_name]: [SOME_IP] sending 56 byte(s) > ocserv[64521]: worker[vpn_name]: [SOME_IP] received 60 byte(s) (TLS) > ocserv[64521]: worker[vpn_name]: [SOME_IP] writing 52 byte(s) to TUN > ocserv[64521]: worker[vpn_name]: [SOME_IP] received 1070 byte(s) (TLS) > ocserv[64521]: worker[vpn_name]: [SOME_IP] unexpected CSTP length (have 52, should be 1062) > ocserv[64521]: worker[vpn_name]: [SOME_IP] worker-vpn.c:1094: error parsing CSTP data > ocserv[64521]: worker[vpn_name]: [SOME_IP] sending message 'sm: cli stats' to secmod > ocserv[64521]: worker[vpn_name]: [SOME_IP] sent periodic stats (in: 52, out: 1984) to sec-mod Which version of ocserv is that? Is that a random failure or happens consistently at a certain point. Please provide more info. For configuration I'd refer you to check the files used by tests/docker-ocserv/Dockerfile-fedora-proxyproto-unix. It uses proxy protocol over unix sockets and includes a traffic check so I would expect that it fully covers your scenario. regards, Nikos
