My load test shows that when max_sessions is reached, new clients are rejected, but only after they've connected and completed TLS handshake.

This is not ideal as it still puts load on the LS server and handshake pool.

Is there a way to reject the connection straight away? Like sending a connection reset?

Please note that I just want to reject connection (i.e., create session requests). My LS deployment listens on two ports, one used for connection and the other for control requests. So I want to reject requests from one port (the connection port) ONLY.

A related question is what happens when handshake pool queue is full? Will this
a) block the server pool threads (because they hand over handshake task to handshake pool?), eventually fulling both queues, or
b) task is dropped and request eventually timeout on client side?