diff --git a/ansible/roles/haproxy/defaults/main.yml b/ansible/roles/haproxy/defaults/main.yml
index ca5a3be975b1b1f6be206b1aacfe2317f6539c50..c596e03152800a2a8632ffdf267f5d8eb0911b10 100644
--- a/ansible/roles/haproxy/defaults/main.yml
+++ b/ansible/roles/haproxy/defaults/main.yml
@@ -90,4 +90,8 @@ haproxy_check_timeout: "10s"
 # Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
 haproxy_defaults_balance: "roundrobin"
 
+# Avoid TCP connections refusing to die after VIP switch
+# https://bugs.launchpad.net/kolla-ansible/+bug/1917068
+haproxy_host_ipv4_tcp_retries2: "KOLLA_UNSET"
+
 kolla_externally_managed_cert: False
diff --git a/ansible/roles/haproxy/tasks/config-host.yml b/ansible/roles/haproxy/tasks/config-host.yml
index cad68d2c16dada8d2e4a074c7b7066260df5e66d..46b262c7a48bdf1d2d6e023c9d4a6806a94637aa 100644
--- a/ansible/roles/haproxy/tasks/config-host.yml
+++ b/ansible/roles/haproxy/tasks/config-host.yml
@@ -10,9 +10,10 @@
     sysctl_file: "{{ kolla_sysctl_conf_path }}"
   become: true
   with_items:
-    - { name: "net.ipv4.ip_nonlocal_bind", value: 1}
-    - { name: "net.ipv6.ip_nonlocal_bind", value: 1}
-    - { name: "net.unix.max_dgram_qlen", value: 128}
+    - { name: "net.ipv4.ip_nonlocal_bind", value: 1 }
+    - { name: "net.ipv6.ip_nonlocal_bind", value: 1 }
+    - { name: "net.ipv4.tcp_retries2", value: "{{ haproxy_host_ipv4_tcp_retries2 }}" }
+    - { name: "net.unix.max_dgram_qlen", value: 128 }
   when:
     - set_sysctl | bool
     - item.value != 'KOLLA_SKIP'
diff --git a/doc/source/reference/high-availability/haproxy-guide.rst b/doc/source/reference/high-availability/haproxy-guide.rst
new file mode 100644
index 0000000000000000000000000000000000000000..ae7d90171efac6bf651a7d72c62a7f0f083bbb65
--- /dev/null
+++ b/doc/source/reference/high-availability/haproxy-guide.rst
@@ -0,0 +1,47 @@
+.. _haproxy-guide:
+
+=============
+HAProxy Guide
+=============
+
+Kolla Ansible supports a Highly Available (HA) deployment of
+Openstack and other services. High-availability in Kolla
+is implented as via Keepalived and HAProxy. Keepalived manages virtual IP
+addresses, while HAProxy load-balances traffic to service backends.
+These two components must be installed on the same hosts
+and they are deployed to hosts in the ``haproxy`` group.
+
+Preparation and deployment
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+HAProxy and Keepalived are enabled by default. They may be disabled by
+setting the following in ``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   enable_haproxy: "no"
+   enable_keepalived: "no"
+
+Configuration
+~~~~~~~~~~~~~
+
+Failover tuning
+---------------
+
+When a VIP fails over from one host to another, hosts may take some
+time to detect that the connection has been dropped. This can lead
+to service downtime.
+
+To reduce the time by the kernel to close dead connections to VIP
+address, modify the ``net.ipv4.tcp_retries2`` kernel option by setting
+the following in ``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   haproxy_host_ipv4_tcp_retries2: 6
+
+This is especially helpful for connections to MariaDB. See
+`here <https://pracucci.com/linux-tcp-rto-min-max-and-tcp-retries2.html>`__,
+`here <https://blog.cloudflare.com/when-tcp-sockets-refuse-to-die/>`__ and
+`here <https://access.redhat.com/solutions/726753>`__ for
+further information about this kernel option.
diff --git a/doc/source/reference/high-availability/index.rst b/doc/source/reference/high-availability/index.rst
new file mode 100644
index 0000000000000000000000000000000000000000..176b859572c774871bd17289ce4bee4a69875e9b
--- /dev/null
+++ b/doc/source/reference/high-availability/index.rst
@@ -0,0 +1,10 @@
+=================
+High-availability
+=================
+
+This section describes high-availability configuration of services.
+
+.. toctree::
+   :maxdepth: 1
+
+   haproxy-guide
diff --git a/doc/source/reference/index.rst b/doc/source/reference/index.rst
index 358aef91e6412feda0652dc1e53eaa25af3d9655..c6631cfd08b94eaf63b5e23e61fd58ba303c1610 100644
--- a/doc/source/reference/index.rst
+++ b/doc/source/reference/index.rst
@@ -17,3 +17,4 @@ Projects Deployment Configuration Reference
    message-queues/index
    deployment-config/index
    deployment-and-bootstrapping/index
+   high-availability/index
diff --git a/releasenotes/notes/fix-TCP-connections-refusing-to-die-after-VIP-switch-5f9e811783c36041.yaml b/releasenotes/notes/fix-TCP-connections-refusing-to-die-after-VIP-switch-5f9e811783c36041.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..185ba8eb839c7112bb30898c1b9e5b67f4862e79
--- /dev/null
+++ b/releasenotes/notes/fix-TCP-connections-refusing-to-die-after-VIP-switch-5f9e811783c36041.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Added a new haproxy configuration variable,
+    ``haproxy_host_ipv4_tcp_retries2``,
+    which allows users to modify this kernel option.
+    This option sets maximum number of times a TCP packet is retransmitted
+    in established state before giving up. The default kernel value is 15,
+    which corresponds to a duration of approximately between 13 to 30
+    minutes, depending on the retransmission timeout. This variable can be used
+    to mitigate an issue with stuck connections in case of VIP failover,
+    see `bug 1917068 <https://bugs.launchpad.net/kolla-ansible/+bug/1917068>`__
+    for details.