Hey,
The problems you have mentioned are possible because of couple reasons
and there is a need to fully debug it.
On 10/21/2013 10:17 PM, Matthew Ceroni wrote:
When downloading files from certain websites, my end users experience
intermittent issues.
OK happens, and not all traffic should be intercepted.
On one site, WebEx, where you can download recordings, transmission
speeds start off high and then gradually go to zero and the
transmission dies.
Researching this issue came across the TCP Window
Scale option. I verified that my firewall (Cisco ASA running latest
ASA software) is set to allow window scaling (it doesn't zero out the
options). The thing with this issue is I don't see anything logged to
the access log. No start of transmission or end of transmission.
What I would have done is route the client using a dedicated router
machine and verify what are the issues and if these are issues that can
be of a blame towards the protocl the client uses or any other source of
the problem which can be from other sources and issues rather then squid.
You can also try to let the client surf using a regular forward proxy to
make sure what happens then.. not interception etc.
Another user reported that they were receiving HTTP 500 errors when
trying to download artifacts for Artifactory (build server). When
looking at the access.log I see TCP_MISS/500 errors. Now usually HTTP
500 errors are server side errors. So I indicated this to my user
saying the server they are downloading from is returning the 500
error.
They didn't agree and as a temporary work around I allowed
direct access for that server out to the internet. They now say the
issue is resolved (don't really agree with them at this point).
It's not a matter of Temporary solution but rather what is the problem
and it's source
What is the best route to go in debugging download issues?
Isolate the client and tell him that you want to debug it and find out
what the root source of the problem.
What version of squid are you using?
TCP_MISS/500 can be because squid is just there but not configured to
work with this service.
Is it a trasparent proxy? tproxy? DNAT?
If you can route the client or intercept the client traffic using a
bridge or a router you can isolate the issues from application level to
network\routing.
When you see that bypassing squid works it can be either a network or
application level and then try to use debug_options with http headers.
You can then verify what are the headers that the client sends and then
what the server sends..
There might be a clue about it the headers.
I would have try to remove any "forwards-for" or any related headers
such as Via and to see what happens..
There are couple systems\sites outthere that are based on couple headers
and when some proxy in the way from the client adds such headers it
makes the respond in a way nobody likes.
Hope It helps.
Eliezer
