Search squid archive

Re: Unable to access IIS site through squid3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 29 Nov 2011 17:37:49 +0100, Fredrik Eriksson wrote:

Hi,


We're trying to access the site www.usitc.gov through our squid3
servers, but only get timed out.
We are running squid 3.1.16-1 from debian wheezy on debian squeeze hosts. 
Accessing the site through an old squid server, running squid
2.6.5-6etch5 on a debian etch host, works fine.

I've read these two

  http://squidproxy.wordpress.com/2008/04/29/chunked-decoding/



http://squidproxy.wordpress.com/2007/06/05/thinsg-to-look-at-if-websites-are-hanging/

I have tried with

  acl broken dstdomain www.usitc.gov
  cache deny broken
  always_direct allow broken_gov

in various combinations with or without

  net.ipv4.tcp_ecn = 0

  net.ipv4.tcp_window_scaling = 0

and

  default via <gw-ip>  advmss 1160

with no cigar in sight.


Output from tcpdump on a squid3 host, trying to access the site
through the proxy


Lets walk this through...



squid3srv:~# tcpdump -v -i eth1 host www.usitc.gov
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
65535 bytes
16:57:14.042959 IP (tos 0x0, ttl 64, id 1892, offset 0, flags [DF],
proto TCP (6), length 56)
    squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [S], cksum
0xbf08 (correct), seq 3957670134, win 4640, options [mss
1160,sackOK,TS val 583485330 ecr 0], length 0


SYN, asking for MSS 1160 (configured). Fine.


16:57:14.171013 IP (tos 0x0, ttl 111, id 14643, offset 0, flags
[none], proto TCP (6), length 60)
    www.usitc.gov.www > squid3srv.axis.com.44756: Flags [S.], cksum
0x767e (correct), seq 577064795, ack 3957670135, win 16384, options
[mss 1460,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0


SYN-ACK from server. Indicating MSS can be safely raised to 1460.


16:57:14.171029 IP (tos 0x0, ttl 64, id 1893, offset 0, flags [DF],
proto TCP (6), length 52)
    squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [.], cksum
0x66a9 (correct), ack 1, win 4640, options [nop,nop,TS val 583485362
ecr 0], length 0


ACK from Squid to server cofnirming receipt of the SYN-ACK.



16:57:14.171157 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF],
proto TCP (6), length 1137)
    squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [P.], cksum
0x4a1b (incorrect -> 0xc04e), seq 1:1086, ack 1, win 4640, options
[nop,nop,TS val 583485362 ecr 0], length 1085
Data packet from Squid->Server. 1085 bytes. Well under both 1160 and 1460 sizes, even with TCP packet bits added. 

However the packet checksum is incorrect.
This is a problem in the kernel code somewhere. Given that it works on the same box with older Squid it is likely something to do with the IPv4/IPpv6 v4-mapping features of the kernel. Squid-3.1 prefers to use "v4-mapped" IPv6 sockets and let the kernel swap the TCP stacks around depending on the IP address type connected to. 



Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux