> And they are trying to contact on this address, and allowed by > icp_access & http_access? I have: acl from_localnetC src 192.168.0.0/16 icp_access allow from_localnetC http_access allow from_localnetC With udp_outgoing_address 255.255.255.255: 2008/07/01 12:16:39| Accepting ICP messages at 192.168.17.11, port 3130, FD 15. And now they DO talk to each other... :/ Only thing I changed I think is icp_query_timeout 3000 (instead of 1000) With two different udp IPs: 2008/07/01 12:18:09| Accepting ICP messages at 192.168.17.11, port 3130, FD 15. 2008/07/01 12:18:09| Outgoing ICP messages on port 3130, FD 16. Works too. With same udp IP: 2008/07/01 12:15:09| Accepting ICP messages at 192.168.17.12, port 3130, FD 15. 2008/07/01 12:15:09| Outgoing ICP messages on port 3130, FD 16. Works too. It must be the heat but some random errors are driving me nuts... I did stick with the 255.255... conf. I use wgets to browse the test website; each query going through a random squid. For most objects, it works fine. But constantly for one specific object (brasil.gif) and from time to time other random objects (portugal.gif, italia.gif) I get "403 Forbidden". Sometimes, instead of "403 Forbidden", I get "200 No headers, assuming HTTP/0.9" By example, I get: 1214908535.754 0 192.168.17.13 TCP_DENIED/403 1295 GET http://127.0.0.1/img/italia.gif - NONE/- text/html And 498 times on the 2 other siblings: 1214908535.754 2 192.168.17.13 TCP_MISS/403 1295 GET http://127.0.0.1/img/italia.gif - CD_SIBLING_HIT/192.168.17.12 text/html 1214908535.754 RELEASE -1 FFFFFFFF C4228CE82163A253A41033FDFAEEF902 403 1214908535 -1 1214908535 text/html 1090/1090 GET http://127.0.0.1/img/italia.gif With more debuging... 498 times all this (I guess, too many lines to count): 2008/07/01 13:40:44| aclCheckFast: list: 0x9c16e70 2008/07/01 13:40:44| aclMatchAclList: checking all 2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0' 2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found 2008/07/01 13:40:44| aclMatchAclList: returning 1 2008/07/01 13:40:44| aclCheckFast: list: 0x9c16e48 2008/07/01 13:40:44| aclMatchAclList: checking all 2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0' 2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found 2008/07/01 13:40:44| aclMatchAclList: returning 1 2008/07/01 13:40:44| aclCheckFast: list: 0x9c16da0 2008/07/01 13:40:44| aclMatchAclList: checking all 2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0' 2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found 2008/07/01 13:40:44| aclMatchAclList: returning 1 2008/07/01 13:40:44| aclCheckFast: list: 0x9c15300 2008/07/01 13:40:44| aclMatchAclList: checking all 2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0' 2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found 2008/07/01 13:40:44| aclMatchAclList: returning 1 2008/07/01 13:40:44| aclCheck: checking 'http_reply_access allow all' 2008/07/01 13:40:44| aclMatchAclList: checking all 2008/07/01 13:40:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0' 2008/07/01 13:40:44| aclMatchIp: '192.168.17.13' found 2008/07/01 13:40:44| aclMatchAclList: returning 1 2008/07/01 13:40:44| aclCheck: match found, returning 1 2008/07/01 13:40:44| aclCheckCallback: answer=1 2008/07/01 13:40:44| The reply for GET http://127.0.0.1/img/italia.gif is ALLOWED, because it matched 'all' But the pseudo-random aspect is annoying... The problem is not specific to one squid. To test, I renamed brasil.gif to brasil2.gif and no more 403 on brasil2.gif... Digest problem? Hash collision problem? Here are 3 runs of stop squids + manualy clear cache_dirs + restart squids + get objects... Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 403 Forbidden Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 403 Forbidden Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 403 Forbidden Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 403 Forbidden Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/spain.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/greece.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/france.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/denmark.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/sweden.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/finland.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/japan.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/usa.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/russia.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/brasil.gif = Proxy request sent, awaiting response... 200 OK Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/portugal.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/polska.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/netherlands.gif = Proxy request sent, awaiting response... 200 OK Squid1 ( 192.168.17.11 ) - GET http://127.0.0.1/img/taiwan.gif = Proxy request sent, awaiting response... 403 Forbidden Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/china.gif = Proxy request sent, awaiting response... 200 OK Squid3 ( 192.168.17.13 ) - GET http://127.0.0.1/img/italia.gif = Proxy request sent, awaiting response... 403 Forbidden Squid2 ( 192.168.17.12 ) - GET http://127.0.0.1/img/turkey.gif = Proxy request sent, awaiting response... 200 OK So now, brasil.gif, that returned 403 all the time, returns 200 all the time... It is finland, taiwan and italia's turn... :/ I tried with 2 different udp IPs, same errors... I tried with the same udp IP, almost same; finland is now always 200 OK... Back to 255.255... conf, same as the same IP now... No rights problems: -rw-r--r-- 1 apache apache 6075 Jun 30 16:12 brasil.gif -rw-r--r-- 1 apache apache 10764 Jun 30 16:12 china.gif -rw-r--r-- 1 apache apache 12229 Jun 30 16:12 denmark.gif -rw-r--r-- 1 apache apache 9569 Jun 30 16:12 finland.gif -rw-r--r-- 1 apache apache 7934 Jun 30 16:12 france.gif -rw-r--r-- 1 apache apache 13597 Jun 30 16:12 greece.gif -rw-r--r-- 1 apache apache 11213 Jun 30 16:12 italia.gif -rw-r--r-- 1 apache apache 7283 Jun 30 16:12 japan.gif -rw-r--r-- 1 apache apache 8639 Jun 30 16:12 netherlands.gif -rw-r--r-- 1 apache apache 7839 Jun 30 16:12 polska.gif -rw-r--r-- 1 apache apache 5638 Jun 30 16:12 portugal.gif -rw-r--r-- 1 apache apache 7711 Jun 30 16:12 russia.gif -rw-r--r-- 1 apache apache 6863 Jun 30 16:12 spain.gif -rw-r--r-- 1 apache apache 8605 Jun 30 16:12 sweden.gif -rw-r--r-- 1 apache apache 4900 Jun 30 16:12 taiwan.gif -rw-r--r-- 1 apache apache 6000 Jun 30 16:12 turkey.gif -rw-r--r-- 1 apache apache 7208 Jun 30 16:12 usa.gif > Odd.. Which Squid version? Squid should not even start with ICP enabled > and incoming & outgoing set to the same address... The "latest" from a CentOS 5.2: squid-2.6.STABLE6-5.el5_1.2 I guess I will have to manualy compile a STABLE20... Or is 2.7STABLE3 better and as stable? Thx, JD