Re: TCP_MISS followed by multiple TCP_DENIED

[Chris Robertson <crobertson@xxxxxxx>]

Paul Cocker wrote:
> I'm having a problem with a lot of timeouts or failures to connect to a
> particular website. A typical section of the log is as follows:
>  
> 1229617601.885    156 192.168.1.1 TCP_MISS/200 39 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617603.854      0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617603.869      0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617605.619      0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617605.619      0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617666.368  62499 192.168.1.1 TCP_MISS/200 56565 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617671.352  65733 192.168.1.1 TCP_MISS/200 8176 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617683.118      0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617683.118      0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617689.508      0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617689.508      0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617756.007  72889 192.168.1.1 TCP_MISS/200 338369 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617761.007  71499 192.168.1.1 TCP_MISS/200 159880 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617826.881      0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617826.881      0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
>  
> We're using NTLM authentication for outgoing connections and at first I
> thought perhaps the above was the three connections something I'd heard
> about NTLM,

Likely you are referring to 
http://squid.sourceforge.net/ntlm/client_proxy_protocol.html

>  but if I check again something like google.com then I see
> only username after username, no multiple denied entries.
>   

Check more of the log, and I'm sure you'll see 407s for google as well.  
With client-side keep-alives you might not see many.

>  
> I've spoken to the vendor and they say there's nothing special about the
> page, it's an HTTPS logon page. Checking then ntlmauthenticator shows
> there have been three periods over the course of the day where we had an
> authentication backlog, but that's it. Is that the likely cause?
>   

I'd be inclined to say yes.  At 1229617601.885 a SSL connection 
terminated which had only lasted 156 ms and only transfered 39 bytes.  A 
bit short, but it exited with a 200 status code, so no real worries.  
The rest of the TCP_MISS/200 requests are much more typical, the number 
of extra TCP_DENIED/407 looks indicative of an overloaded NTLM 
Authenticator.

> Performance wise everything is fine with squid.
>  
> This is under squid 2.7 STABLE5
>  
>
> Paul Cocker

Chris