It's a problem which started up between 1 and 2 months ago, though I'm unfortunately unsure exactly when so I can't tie it to a particular update or similar. Before I submit a bug, it might be best to check I'm not just being thick. To clarify, it seems there may well be two issues: http://wiki.squid-cache.org/SquidFaq/SquidAcl gives "(110) Connection timed out" eventually. Checking a Wireshark dump shows that no traffic above the tcp layer occurs: no actual HTTP requests get made, just a lot of syns and acks with the same sort of errors as for this next address. http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 does actually load, though on closer inspection, they're are various tcp issues showing up in the network dump: "A segment before this frame was lost," "Duplicate to the ACK in frame: 65," & "This frame is a (suspected) out-of-order segment." Both issues are (sadly) reproducible 100% at the minute, tested on Firefox 2.0.x & Fedora core 8 (x86_64) fully patched and IE 6 on WinXP pro (x86_32) fully patched. Beneath is also the contents of /proc/sys/net/ipv4/tcp_* in case I've missed some ECN / window scaling / MTU / etc. type thing. Much obliged, Callum. Contents of /proc/sys/net/ipv4/tcp_* : /proc/sys/net/ipv4/tcp_abc /proc/sys/net/ipv4/tcp_abort_on_overflow /proc/sys/net/ipv4/tcp_adv_win_scale /proc/sys/net/ipv4/tcp_allowed_congestion_control /proc/sys/net/ipv4/tcp_app_win /proc/sys/net/ipv4/tcp_available_congestion_control /proc/sys/net/ipv4/tcp_base_mss /proc/sys/net/ipv4/tcp_congestion_control /proc/sys/net/ipv4/tcp_dma_copybreak /proc/sys/net/ipv4/tcp_dsack /proc/sys/net/ipv4/tcp_ecn /proc/sys/net/ipv4/tcp_fack /proc/sys/net/ipv4/tcp_fin_timeout /proc/sys/net/ipv4/tcp_frto /proc/sys/net/ipv4/tcp_frto_response /proc/sys/net/ipv4/tcp_keepalive_intvl /proc/sys/net/ipv4/tcp_keepalive_probes /proc/sys/net/ipv4/tcp_keepalive_time /proc/sys/net/ipv4/tcp_low_latency /proc/sys/net/ipv4/tcp_max_orphans /proc/sys/net/ipv4/tcp_max_ssthresh /proc/sys/net/ipv4/tcp_max_syn_backlog /proc/sys/net/ipv4/tcp_max_tw_buckets /proc/sys/net/ipv4/tcp_mem /proc/sys/net/ipv4/tcp_moderate_rcvbuf /proc/sys/net/ipv4/tcp_mtu_probing /proc/sys/net/ipv4/tcp_no_metrics_save /proc/sys/net/ipv4/tcp_orphan_retries /proc/sys/net/ipv4/tcp_reordering /proc/sys/net/ipv4/tcp_retrans_collapse /proc/sys/net/ipv4/tcp_retries1 /proc/sys/net/ipv4/tcp_retries2 /proc/sys/net/ipv4/tcp_rfc1337 /proc/sys/net/ipv4/tcp_rmem /proc/sys/net/ipv4/tcp_sack /proc/sys/net/ipv4/tcp_slow_start_after_idle /proc/sys/net/ipv4/tcp_stdurg /proc/sys/net/ipv4/tcp_synack_retries /proc/sys/net/ipv4/tcp_syncookies /proc/sys/net/ipv4/tcp_syn_retries /proc/sys/net/ipv4/tcp_timestamps /proc/sys/net/ipv4/tcp_tso_win_divisor /proc/sys/net/ipv4/tcp_tw_recycle /proc/sys/net/ipv4/tcp_tw_reuse /proc/sys/net/ipv4/tcp_window_scaling /proc/sys/net/ipv4/tcp_wmem /proc/sys/net/ipv4/tcp_workaround_signed_windows 0 0 2 cubic reno 31 cubic reno 512 cubic 4096 1 0 1 30 0 0 75 9 1800 0 32768 0 64 180000 390144 520192 780288 1 0 0 0 5 1 3 15 0 4096 87380 4194304 0 1 0 3 1 6 0 3 0 0 0 4096 16384 4194304 0 On Wed, 2008-04-09 at 20:02 +0800, Adrian Chadd wrote: > On Wed, Apr 09, 2008, C. Ham wrote: > > Like http://wiki.squid-cache.org/SquidFaq/SquidAcl & > > Is that reproducable for you 100%? If so, could you please take a wireshark/tcpdump > snapshot of the traffic exchange from server to Squid and then put it into the > Squid bugzilla? > > Thanks, > > > Adrian > > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for a > > start. Both load fine if I bypass Squid, but neither will load properly > > if I try and retrieve them via Squid. They'll take between 5 & 15 > > minutes to arrive and when they do, the content is usually partial and > > the layout decidedly wrong. > > > > I've trawled though all the usual: ECN, tcp windows, OS specific things > > and have set Wireshark loose on it. The networks dumps just show Yahoo > > mail working fine for the initial logon and subsequent referrals, but as > > soon as it leaves the SSL session having verified the session > > authentication and tries to retrieve the actual mail front page, > > (http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 for > > example) it slows to a crawl. Other than the speed I can't see anything > > actually going wrong. > > > > I also get this on a variety of other sites, especially > > www.guardian.co.uk and sometimes www.direct.gov.uk. > > > > Any help would be much appreciated as I've got disgruntled students / > > tutors / staff and I'm very much in need of gruntling them again. If > > that's a word. If not, I'll settle for quietening them down. > > > > Thanks, > > > > > > Callum. > > > > > > Stuff of note: > > > > Browsers: IE 6.x & Firefox 2.0.X > > Fedora Core 7. > > Kernel 2.6.23.15-80.fc7 on an i686 - Intel(R) Xeon - GNU/Linux. > > squid-2.6.STABLE16-4.fc7 (Fc7 rpm). > > > > Non defaults from squid.conf: > > > > http_port 10.3.0.1:3128 > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? showFolder asp > > no_cache deny QUERY > > cache_mem 512 MB > > cache_swap_low 50 > > cache_swap_high 95 > > maximum_object_size 8192 KB > > cache_dir ufs /var/spool/squid 10000 16 256 > > cache_dir ufs /var/spool/squid2 10000 16 256 > > cache_access_log /var/log/squid/access.log > > debug_options ALL,3 > > dns_nameservers 10.3.0.1 10.3.0.2 > > redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf > > auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b > > "dc=quack,dc=org,dc=local" -D > > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > > sAMAccountName=%s -h 10.3.0.3 > > auth_param basic children 5 > > auth_param basic realm "Donkey Centre" > > auth_param basic credentialsttl 5 minutes > > auth_param basic children 5 > > auth_param basic realm Squid proxy-caching web server > > auth_param basic credentialsttl 2 hours > > auth_param basic casesensitive off > > external_acl_type InetUsersGroup %LOGIN /usr/lib/squid/squid_ldap_group > > -R -b "dc=quack,dc=org,dc=local" -D > > "cn=LDAP_guest,OU=ADMIN,DC=quack,DC=org,DC=local" -w "XXXXXX" -f > > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=% > > a,ou=users,dc=quack,dc=org,dc=local))" -h 10.3.0.2 > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 563 2083 > > acl localip src 10.0.0.0/8 > > acl PURGE method PURGE > > acl apache src 10.0.0.0/8 > > acl localnet proxy_auth REQUIRED src 10.0.0.0/8 > > acl InetAccess external InetUsersGroup SquidUsers > > acl CONNECT method CONNECT > > http_access allow PURGE localhost > > http_access allow manager localip > > http_access allow manager apache > > http_access allow InetAccess > > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > acl our_networks src 10.0.0.0/8 > > http_access allow our_networks > > http_access allow localhost > > http_access deny all > > http_reply_access allow all > > icp_access allow all > > cache_mgr postmaster@xxxxxxxxxxxxxxxxxxx > > mail_from squid@xxxxxxxxxxxxxxxxxxx > > visible_hostname gate.quack.ducks.com.etc > > cachemgr_passwd XXXXXX all > > coredump_dir /var/spool/squid > > extension_methods REPORT MERGE MKACTIVITY CHECKOUT > > > > > > Excerpt from cache.log following request for > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0: > > > > 2008/04/08 15:57:00| fwdConnectStart: > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > 2008/04/08 15:57:00| fwdConnectStart: got addr 0.0.0.0, tos 0 > > 2008/04/08 15:57:00| fd_open FD 39 > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 60 > > 2008/04/08 15:57:00| commConnectStart: FD 39, uk.mc260.mail.yahoo.com:80 > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd798 > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > > 2008/04/08 15:57:00| cbdataLock: 0x8cdd7e8 > > 2008/04/08 15:57:00| cbdataValid: 0x8cdd7e8 > > 2008/04/08 15:57:00| ipcacheCycleAddr: uk.mc260.mail.yahoo.com now at > > 87.248.111.187 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > > 2008/04/08 15:57:00| storeUnlockObject: key > > '27D91622B3E024FF88542C1541F6B2D3' count=3 > > 2008/04/08 15:57:00| cbdataFree: 0x8bec610 > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bec610 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 > > 2008/04/08 15:57:00| cbdataFree: 0x8d127a0 has 1 locks, not freeing > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d127a0 > > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8d127a0 > > 2008/04/08 15:57:00| comm_select: timeout 488 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd7e8 > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout -1 > > 2008/04/08 15:57:00| commConnectFree: FD 39 > > 2008/04/08 15:57:00| cbdataFree: 0x8cdd7e8 > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8cdd7e8 > > 2008/04/08 15:57:00| cbdataValid: 0x8cdd798 > > 2008/04/08 15:57:00| fwdConnectDone: FD 39: > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > 2008/04/08 15:57:00| fwdDispatch: FD 34: Fetching 'GET > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > 2008/04/08 15:57:00| httpStart: "GET > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0"; > > 2008/04/08 15:57:00| storeLockObject: key > > '27D91622B3E024FF88542C1541F6B2D3' count=4 > > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 86400 > > 2008/04/08 15:57:00| getMaxAge: > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > 2008/04/08 15:57:00| cbdataLock: 0x8cead28 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cdd798 > > 2008/04/08 15:57:00| comm_select: timeout 433 > > 2008/04/08 15:57:00| cbdataValid: 0x8cead28 > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cead28 > > 2008/04/08 15:57:00| comm_select: timeout 433 > > 2008/04/08 15:57:00| ctx: enter level 0: > > 'http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0' > > 2008/04/08 15:57:00| httpProcessReplyHeader: key > > '27D91622B3E024FF88542C1541F6B2D3' > > 2008/04/08 15:57:00| httpProcessReplyHeader: HTTP CODE: 200 > > 2008/04/08 15:57:00| storeExpireNow: '27D91622B3E024FF88542C1541F6B2D3' > > 2008/04/08 15:57:00| storeGet: looking up > > 88ECBC523E9AEA95834A7F145E64EC69 > > 2008/04/08 15:57:00| storeGet: looking up > > 199F1E34B1E329E02396FA9A41720E7A > > 2008/04/08 15:57:00| ctx: exit level 0 > > 2008/04/08 15:57:00| InvokeHandlers: 27D91622B3E024FF88542C1541F6B2D3 > > 2008/04/08 15:57:00| InvokeHandlers: checking client #0 > > 2008/04/08 15:57:00| cbdataLock: 0x8d87958 > > 2008/04/08 15:57:00| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > > 2008/04/08 15:57:00| storeClientCopy3: Copying from memory > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| clientBuildReplyHeader: can't keep-alive, unknown > > body size > > 2008/04/08 15:57:00| cbdataLock: 0x88e9558 > > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > > 2008/04/08 15:57:00| aclMatchAclList: checking all > > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > > 2008/04/08 15:57:00| httpReplyBodyBuildSize: Setting maxBodySize to 0 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9558 > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > 2008/04/08 15:57:00| clientSendMoreHeaderData: Appending 1628 bytes > > after 414 bytes of headers > > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataLock: 0x88e9a18 > > 2008/04/08 15:57:00| cbdataLock: 0x8d8c0e0 > > 2008/04/08 15:57:00| cbdataLock: 0x8cd8750 > > 2008/04/08 15:57:00| cbdataValid: 0x88e9a18 > > 2008/04/08 15:57:00| aclCheck: checking 'http_reply_access allow all' > > 2008/04/08 15:57:00| aclMatchAclList: checking all > > 2008/04/08 15:57:00| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > 2008/04/08 15:57:00| aclMatchIp: '10.2.2.16' found > > 2008/04/08 15:57:00| aclMatchAclList: returning 1 > > 2008/04/08 15:57:00| aclCheck: match found, returning 1 > > 2008/04/08 15:57:00| cbdataUnlock: 0x88e9a18 > > 2008/04/08 15:57:00| aclCheckCallback: answer=1 > > 2008/04/08 15:57:00| cbdataValid: 0x8cd8750 > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| The reply for GET > > http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 is > > ALLOWED, because it matched 'all' > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 > > 2008/04/08 15:57:00| cbdataFree: 0x8cd8750 has 1 locks, not freeing > > 2008/04/08 15:57:00| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataLock: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8cd8750 > > 2008/04/08 15:57:00| cbdataUnlock: Freeing 0x8cd8750 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d8c0e0 > > 2008/04/08 15:57:00| cbdataFree: 0x8bd9a90 > > 2008/04/08 15:57:00| cbdataFree: Freeing 0x8bd9a90 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d094a8 > > 2008/04/08 15:57:00| cbdataUnlock: 0x8d87958 > > 2008/04/08 15:57:00| commSetTimeout: FD 39 timeout 900 > > 2008/04/08 15:57:01| comm_select: timeout 350 > > 2008/04/08 15:57:01| cbdataValid: 0x8d094a8 > > 2008/04/08 15:57:01| storeClientCopy: 27D91622B3E024FF88542C1541F6B2D3, > > seen 2042, want 2042, size 4096, cb 0x806cc8f, cbdata 0x8d094a8 > > 2008/04/08 15:57:01| cbdataLock: 0x8d094a8 > > 2008/04/08 15:57:01| cbdataLock: 0x8d87958 > > 2008/04/08 15:57:01| storeClientCopy2: 27D91622B3E024FF88542C1541F6B2D3 > > 2008/04/08 15:57:01| storeClientCopy3: Waiting for more > > 2008/04/08 15:57:01| cbdataUnlock: 0x8d87958 > > 2008/04/08 15:57:01| cbdataUnlock: 0x8d094a8 > > 2008/04/08 15:57:01| comm_select: timeout 350 > > 2008/04/08 15:57:01| fd_open FD 76 HTTP Request > > 2008/04/08 15:57:01| cbdataLock: 0x88e58a8 > > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > > 2008/04/08 15:57:01| commSetTimeout: FD 76 timeout 300 > > 2008/04/08 15:57:01| aclMatchAclList: checking all > > 2008/04/08 15:57:01| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' > > 2008/04/08 15:57:01| aclMatchIp: '10.2.2.16' found > > 2008/04/08 15:57:01| aclMatchAclList: returning 1 > > 2008/04/08 15:57:01| comm_select: timeout 331 > > 2008/04/08 15:57:01| cbdataLock: 0x8db16e8 > > 2008/04/08 15:57:01| parseHttpRequest: req_hdr = {Host: mail.yimg.com > > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1.13) > > Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13 > > Accept: image/png,*/*;q=0.5 > > Accept-Language: en-gb > > Accept-Encoding: gzip,deflate > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Keep-Alive: 300 > > Proxy-Connection: keep-alive > > Referer: http://uk.mc260.mail.yahoo.com/mc/welcome?.rand=21mu9pvlq1uo0 > > Proxy-Authorization: Basic XXXXXXXXXXXXXXX > > > > } >
