Skip to main content

Overview

This guide covers the most common issues encountered when working with Xloud Load Balancer — provisioning delays, member health failures, 503 errors, and TLS handshake problems.
For platform-level issues such as appliance provisioning failures or service agent outages, refer to the Load Balancer Admin Guide — Troubleshooting.

Provisioning Issues

Load balancer stuck in PENDING_CREATE

Cause: The load balancing agent did not receive or complete the provisioning request.Diagnose:
Check provisioning status
openstack loadbalancer show prod-web-lb \
  -c provisioning_status -c operating_status
If status remains PENDING_CREATE after 5 minutes, verify the appliance was created:
List appliances for this load balancer
openstack loadbalancer amphora list \
  --loadbalancer prod-web-lb
Resolution: Contact your platform administrator if the appliance does not appear. The load balancing service agent may need to be restarted.
A load balancer in PENDING_CREATE can be deleted and recreated. Use --wait to block until the status resolves: openstack loadbalancer delete --wait prod-web-lb
Cause: The appliance provisioning failed — common causes include exhausted management network DHCP pool or unavailable appliance image.Diagnose:
Check provisioning status detail
openstack loadbalancer show prod-web-lb -f json | python3 -m json.tool
Review the fault field for a specific error message.Resolution: This is a platform-level issue. See the Admin Guide for resolution steps.

Member Health Issues

Cause: Health monitor probes are failing. Common reasons:
  • Application not running on the configured member port
  • Security group blocking probe traffic from the load balancer VIP subnet
  • Health check URL returning a non-2xx status code
  • Application is not ready (still starting up)
Diagnose:
Show member detail
openstack loadbalancer member show pool-http <member-id>
Test the health endpoint directly from a host on the same subnet:
Test health endpoint manually
curl -v http://<member-ip>:<member-port>/health
Resolution: Verify that security groups allow ingress on the member port from the load balancer VIP address. Add a rule if missing:
Allow LB probe traffic in security group
openstack security group rule create \
  --ingress \
  --protocol tcp \
  --dst-port <member-port> \
  --remote-ip <lb-vip-address>/32 \
  <member-security-group>
Cause: The health check timeout is too short, or the application has slow response times under load.Resolution: Increase the health monitor timeout:
Increase health monitor timeout
openstack loadbalancer healthmonitor set hm-http \
  --timeout 10 \
  --delay 15

Traffic Issues

Cause: All pool members are DOWN or the pool is empty.Diagnose:
Check member operating status
openstack loadbalancer member list pool-http \
  -c address -c protocol_port -c operating_status
Resolution: Restore at least one member to ONLINE status by:
  1. Verifying the application is running on the member
  2. Confirming the health check URL returns HTTP 200
  3. Checking security group rules allow probe traffic
Cause: Member weights are unequal, or sticky sessions are routing traffic to a subset of members.Diagnose:
Check member weights
openstack loadbalancer member list pool-http \
  -c name -c weight -c operating_status
Resolution: Reset all member weights to equal values:
Normalize member weight
openstack loadbalancer member set pool-http <member-id> --weight 1

TLS Issues

Cause: Certificate container reference is invalid, the certificate has expired, or the private key does not match the certificate.Diagnose:
Verify TLS container is accessible
openstack secret container show <container-ref>
Check certificate expiration:
View certificate content
openstack secret get <cert-secret-ref> --payload | \
  openssl x509 -noout -dates
Resolution: Upload a valid certificate through Xloud Key Manager and update the listener’s TLS container reference:
Update listener TLS container
openstack loadbalancer listener set listener-https \
  --default-tls-container-ref <new-container-ref>

Status Reference

Provisioning StatusMeaning
ACTIVEResource is operational
PENDING_CREATEProvisioning in progress
PENDING_UPDATEUpdate in progress
PENDING_DELETEDeletion in progress
ERROROperation failed — inspect the fault field
Operating StatusMeaning
ONLINEResource is up and passing health checks
OFFLINEResource is administratively disabled
DEGRADEDSome sub-resources are in error
ERRORResource has failed health checks
NO_MONITORNo health monitor configured — traffic still sent

Next Steps

Health Monitors

Review health monitor configuration to resolve OFFLINE member issues.

Listeners

Verify listener protocol and TLS configuration after resolving issues.

Load Balancer Admin Troubleshooting

Platform-level diagnostics for appliance and service agent failures.

Create Load Balancer

Start fresh with a correctly configured load balancer if needed.