Apache Read Replica Is Promoted but Clients Still Pin the Old Primary

Introduction

Apache traffic failures in this group come from mismatched assumptions between the caller and the next hop. When read replica is promoted but clients still pin the old primary, the live path usually involves stale DNS data, dead keepalive sockets, broken certificates, or a route that points somewhere different from what the service believes it is using.

Symptoms

• The failure is intermittent instead of happening on every request
• The direct target works, but the routed or proxied path does not
• Errors increase after proxy, certificate, or network-path changes
• Retries sometimes succeed because a different route or socket is chosen

Common Causes

• DNS, discovery, or mirror configuration still points at an older target
• A proxy or load balancer reuses sockets longer than the upstream expects
• Only part of the fleet received the new certificate or dependency version
• Traffic is being routed through a path that the health check does not cover

Step-by-Step Fix

1. 1.Inspect the live state first
2. 2.Capture the active runtime path before changing anything so you know whether the process is stale, partially rolled, or reading the wrong dependency.

date -u
printenv | sort | head -80
grep -R "error\|warn\|timeout\|retry\|version" logs . 2>/dev/null | tail -80

1. 1.Compare the active configuration with the intended one
2. 2.Look for drift between the live process and the deployment or configuration files it should be following.

grep -R "timeout\|retry\|path\|secret\|buffer\|cache\|lease\|schedule" config deploy . 2>/dev/null | head -120

1. 1.Apply one explicit fix path
2. 2.Prefer one clear configuration change over several partial tweaks so every instance converges on the same behavior.

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 30s;
resolver 1.1.1.1 1.0.0.1 valid=300s;
proxy_buffering off;

1. 1.Verify the full request or worker path end to end
2. 2.Retest the same path that was failing rather than assuming a green deployment log means the runtime has recovered.

nslookup service.internal 8.8.8.8
curl -vk https://service.internal/health
openssl s_client -connect service.internal:443 -servername service.internal

Prevention

• Publish active version, config, and runtime identity in one observable place
• Verify the real traffic path after every rollout instead of relying on one green health log
• Treat caches, workers, and background consumers as part of the same production system
• Keep one source of truth for credentials, timeouts, routing, and cleanup rules