>>> Chris Robertson <crobertson@xxxxxxx> 5/28/2008 5:03 PM >>> > Proxies. Plural. How are you spreading the traffic among the proxies. > A number of authentication requiring websites associate login > credentials with a source IP. Using a round robin load balancer > (without source NATing the outgoing requests from the multiple proxies) > can cause issues with such sites. As well, using authentication on a > intercepting (also called a transparent) proxy can cause issues such as > this. The traffic isn't being balanced among the proxies. I have multiple locations, 4 to be exact, all trying to access the same site with the same results. Each location uses it's own proxy. None of them are transparent and they all require authentication back to a single central LDAP server. > TCP_MISS/401 indicates the website returned a "Not Authorized" response, > which should cause your browser to prompt for authentication. With IE7, I get one prompt and then the "cannot display the webpage" message. With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled. > Wow. Not a single TCP_MISS/200 or TCP_HIT/200. The only requests that > succeeded were cached content (TCP_MISS/304, with a parent of NONE). > So, from the evidence given, the machine that is "working" only appears > to be working because it is able to wrest a response from the cache that > allows it to use its locally cached copy... OK.....here's another bit from access.log with the TCP_MISS/200 from the "working" machine. My fault on the previous one in that all I visited was things that I'd already been to and cached. There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site. [root@phs-proxy squid]# tail -f access.log | grep www.k12.ar.us 1212065905.682 182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.714 699 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html 1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- - 1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html 1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- - 1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html 1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- - 1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html 1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- - 1212065933.702 855 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher DIRECT/165.29.214.2 text/html 1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- text/html 1212065936.319 2593 170.211.125.31 TCP_MISS/200 96327 GET http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher NONE/- application/pdf 1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher DIRECT/165.29.214.2 text/html 1212065962.164 212 170.211.125.31 TCP_MISS/200 48057 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- application/pdf 1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- text/html 1212065962.661 400 170.211.125.31 TCP_MISS/206 176993 GET http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher NONE/- multipart/byteranges If you have any suggestions on what else to look for, I'm willing to try about anything. I captured some of the headers in FF on both the working and a nonworking machine but I can't make any sense of them. Also, if running tcpdump would help, I'm game to try that as well? Thanks, Rob -- This message has been scanned for viruses and dangerous content by The MailScanner at the Paragould School District, http://paragould.k12.ar.us, and is believed to be clean. ------------------------------------- Rob Asher Network Systems Technician Paragould School District (870)236-7744 Ext. 169
