Hi All, I observed there is a difference in tcp state machine in both working(without squid) and Not working scenario.(without squid) State machine in working scenario (without squid) ---------------------------------------------------- client Server SYN ---------------> SYN + ACK <------------------------- ACK --------------------------> GET ---------------------------> ACK <---------------------------- TCP segment of a resembled PDU (MTU 1514) <--------------------------- HTTP/1.1 200 ok (MTU 293) <------------------------ then connection terminates State machine in Not-working scenario (with squid) ---------------------------------------------------- client Server SYN ---------------> SYN + ACK <------------------------- ACK --------------------------> GET ---------------------------> ACK <---------------------------- SYN + ACK <--------------------------- RST ------------------------> TCP previous segment not captured <------------------------------ RST ------------------------> TCP last segment not captured <------------------------------ ......... TCP segment of a resembled PDU (MTU 1514) <------------------------- TCP segment of a resembled PDU (MTU 1514) <------------------------- HTTP/1.0 504 Gateway timeout (MTU 1050) <----------------------------- then connection terminates In case of squid running , 1) Why web-server is sending "SYN+ACK" instead of "TCP last segment not captured" PDU? 2) Why there is a delay in sending "TCP last segment not captured" PDU? Moreover I could see there is a variation in HTTP version (1.0 and 1.1) . Please share your views on this Regards, Saravanan N On Mon, Aug 12, 2013 at 11:47 PM, SaRaVanAn <saravanan.nagarajan87@xxxxxxxxx> wrote: > Hi Team, > I setup an apache web server and squid3 running on the same machine > . But when I try to access the web-server pages from client machine, I > always ended up in the ERR_CONNETC_FAIL error. I tried all the > alternatives and configurations from Google , but it was not helping > me to solve the issue. > > Error > > 1376330104.848 179954 172.30.11.122 TCP_MISS/504 3880 GET > http://172.30.11.124/logs/access.log - DIRECT/172.30.11.124 > text/html [Host: 172.30.11.124\r\nUser-Agent: Mozilla/5.0 (X11; Linux > i686; rv:10.0.12) Gecko/20130109 Firefox/10.0. > 12\r\nAccept: text/html,application/xhtml+ > xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: > en-us,en;q=0.5\r\nA > ccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\n] [HTTP/1.0 > 504 Gateway Time-out\r\nServer: squid/3.1.20\r > \nMime-Version: 1.0\r\nDate: Mon, 12 Aug 2013 17:55:04 > GMT\r\nContent-Type: text/html\r\nContent-Length: 3506\r\nX-Sq > uid-Error: ERR_CONNECT_FAIL 110\r\nVary: > Accept-Language\r\nContent-Language: en-us\r\n\r] > > Topology > ---------------- > 172.30.11.122(client ) ---------- 172.30.11.124 (webserver and squid3 running) > > Squid version and OS > -------------------------------- > squid3 -v > Squid Cache: Version 3.1.20 > > Debian wheezy(7.0) > > Iptable rules > --------------------- > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3129 > > IP rules > -------------- > ip -f inet rule add fwmark 1 lookup 100 > ip -f inet route add local default dev eth0 table 100 > > squid.conf > -------------- > acl all src all > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > acl SSL_ports port 443 > acl SSL_ports port 563 > acl SSL_ports port 873 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl Safe_ports port 631 > acl Safe_ports port 873 > acl Safe_ports port 901 > acl purge method PURGE > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_reply_access allow all > http_port 3128 > http_port 3129 tproxy > hierarchy_stoplist cgi-bin ? > cache_mem 256 MB > cache_dir ufs /var/spool/squid3 1000 16 256 > maximum_object_size 20480 KB > access_log /var/log/squid3/access.log > cache_log /var/log/squid3/cache.log > mime_table /usr/share/squid3/mime.conf > log_mime_hdrs on > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] > acl apache rep_header Server ^Apache > hosts_file /etc/hosts > coredump_dir /var/spool/squid3 > acl localnet src 172.30.11.0/24 > http_access allow localhost > http_access allow localnet > cache allow all > request_header_access Allow allow all > request_header_access Authorization allow all > request_header_access WWW-Authenticate allow all > request_header_access Proxy-Authorization allow all > request_header_access Proxy-Authenticate allow all > request_header_access Cache-Control allow all > request_header_access Content-Encoding allow all > request_header_access Content-Length allow all > request_header_access Content-Type allow all > > Tcpdump > ---------------- > tcpdump -i eth0 "port 80" > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > 23:23:35.965778 IP 172.30.11.124.http > 172.30.11.122.42895: Flags > [S.], seq 147932214, ack 1341835953, win 14480, options [mss > 1460,sackOK,TS val 6510344 ecr 6510344,nop,wscale 5], length 0 > 23:23:35.965904 IP 172.30.11.122.42895 > 172.30.11.124.http: Flags > [R], seq 1341835953, win 0, length 0 > 23:24:04.896138 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 111903872, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6517576 ecr 6517576,nop,wscale 5], length 0 > 23:24:04.896263 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:24:05.893767 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 127491883, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6517826 ecr 6517826,nop,wscale 5], length 0 > 23:24:05.893885 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:24:07.897766 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 158804355, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6518327 ecr 6518327,nop,wscale 5], length 0 > 23:24:07.898048 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:24:11.901791 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 221367156, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6519328 ecr 6519328,nop,wscale 5], length 0 > 23:24:11.901913 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:24:19.917797 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 346617285, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6521332 ecr 6521332,nop,wscale 5], length 0 > 23:24:19.917920 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:24:35.965795 IP 172.30.11.124.http > 172.30.11.122.37138: Flags > [S.], seq 597367243, ack 124904408, win 14480, options [mss > 1460,sackOK,TS val 6525344 ecr 6525344,nop,wscale 5], length 0 > 23:24:35.965906 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags > [R], seq 124904408, win 0, length 0 > 23:25:04.848090 IP 172.30.11.124.http > 172.30.11.122.44872: Flags > [.], seq 622394574:622396022, ack 3117157865, win 486, options > [nop,nop,TS val 6532564 ecr 1130451999], length 1448 > 23:25:04.848123 IP 172.30.11.124.http > 172.30.11.122.44872: Flags > [.], seq 1448:2896, ack 1, win 486, options [nop,nop,TS val 6532564 > ecr 1130451999], length 1448 > 23:25:04.848143 IP 172.30.11.124.http > 172.30.11.122.44872: Flags > [P.], seq 2896:3880, ack 1, win 486, options [nop,nop,TS val 6532564 > ecr 1130451999], length 984 > 23:25:04.848480 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags > [.], ack 1448, win 274, options [nop,nop,TS val 1130631953 ecr > 6532564], length 0 > 23:25:04.848572 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags > [.], ack 2896, win 319, options [nop,nop,TS val 1130631953 ecr > 6532564], length 0 > 23:25:04.848667 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags > [.], ack 3880, win 364, options [nop,nop,TS val 1130631953 ecr > 6532564], length 0 > 23:26:59.848715 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags > [F.], seq 1, ack 3880, win 364, options [nop,nop,TS val 1130746953 ecr > 6532564], length 0 > 23:26:59.848866 IP 172.30.11.124.http > 172.30.11.122.44872: Flags > [F.], seq 3880, ack 2, win 486, options [nop,nop,TS val 6561314 ecr > 1130746953], length 0 > 23:26:59.849005 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags > [.], ack 3881, win 364, options [nop,nop,TS val 1130746954 ecr > 6561314], length 0 > > > > Moreover its taking long time to respond "connection failed error > message in browser". Without tproxy rules, webserver is working like > Gem. > I really don't know what is going on and What I did wrong. > Please help me since I m new to squid. > > Regards, > Saravanan N