On Wed, 17 Jun 2009 10:28:35 -0700, "Alexandre DeAraujo" <alexd@xxxxxxx> wrote: >> Does access.log say anything is arriving at Squid? >> Are you able to track the packets anywhere else? >> >> Amos > > Once the client tries to browse, the connection times out after 100-150 > seconds and displays the error page: > The following error was encountered while trying to retrieve the URL: > http://www.msn.com/ > Connection to 207.68.172.246 failed. > The system returned: (110) Connection timed out > The remote host or network may be down. Please try the request again. > > ..and the following message will show on the access.log(at the same time as > the timeout page is showed on the browser) > 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET > http://www.msn.com/ - DIRECT/207.68.173.76 text/html > 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET > http://www.msn.com/ - DIRECT/207.68.173.76 text/html > Nothing else will show in the access.log from the moment that the client > tries to browse. > > The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is > everything from the time the client tries to browse to when the connection > times out > client ip = 192.168.10.3 > squid ip = 192.168.20.10 > msn.com ip = 207.68.172.246 > > Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP > SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 > Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP > SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 > Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP > SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 ... show several packets where client is connecting straight to squid IP as a regular proxy!! (I assume squid handles the requests and spoofs the client IP: 192.168.10.3->207.68.172.246) > Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP > SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 > Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP > SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 ... router catches packets between 192.168.10.3->207.68.172.246 and send them to Squid for handling... (I assume squid handles the requests and spoofs the client IP: 192.168.10.3->207.68.172.246) > Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP > SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 > Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 > DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP > SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 ... router catches packets between 192.168.10.3->207.68.172.246 and send them to Squid for handling... ... IF my assumption about where each of those packets is originating is true. It seems like a triangle of doom. IMO Squid needs to be given a dedicated _interface_ on the router. And any packets coming from that _interface_ be exempted from WCCP route-back. Amos