On Mon, 1 Aug 2005, john allspaw wrote:
their browsers spin and spin, and finally time out. this problem goes away when they disable their DSL firewall, so I suspect it's the Path MTU discovery issue.
Could also be a TCP windowing issue.
httpd_accel_no_pmtu_disc on
in squid.conf, but I hesitate to:
# echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
on the squids themselves, since it's production and I'm not 100% that it won't interrupt service.
It won't. This can be enabled/distabled freely.
our squids sit behind a LB, with URL hash as it's balancing algorithm.
Many load balancers and simple firewalls do have problems with modern TCP
implementations. A good idea to narrow down the problem is to compare the
traffic both outside and inside your LB, and to disable as many TCP
extensions as you can on the server.
The problematic areas are in order
- ECN
- PMTU discovery, but mostly in intercepting proxies.
- TCP window scaling
- TCP timestamping & PAWS
Try
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
This disables all TCP extensions, making TCP somewhat less efficient for
large transfers but considerably less complicated for various network
equipment (load balancers, firewalls, NAT devices etc) to deal with.
For a typical web server serving mostly small objects < 64 KByte the above
settings is often better than default, but performance may suffer on
larger transfers.
Regards
Henrik
