Re: CLOSE_WAIT state in Squid leads to bandwidth drop

[Eliezer Croitoru <eliezer@xxxxxxxxxxxx>]

Hey Saravanan,

The main issue is that we can try to support you in a very basic way but 
note that if it's a BUG it cannot be fixed later rather then porting a 
patch manually or to try newer versions of squid.
Sometimes it's a bit difficult to upgrade but you can compile squid 
without installing it and also installing it along side older version 
(with proper configurations).

Your problem is a bit difficult to understand since if you use a proxy 
server with 100hz I assume this is what you will get from it..
There are couple levels to the connections which needs to be analyzed 
first before jumping and throwing everything on the linux machine.
The availability of example bug reports is nice to analyze but I am not 
sure this is the case.

10Mbps link or 15Mbps link is almost the same but some things in the 
network are out of your hands.
First the diagram is a bit weird to me..
what is the network topology and what hardware are we talking about?
There is a reason for *dropping* from 6.5 to 8.5 Mbps.
Either this is being consumed in a way or it might be throttled in a way.
Both can be squid or in any other level of the link and even physical one.
A cat4 cable with a loose contact will lead for something like that in 
some cases.

So I am saying "from the ground up".
What is the IP of the client?
Is this server properly firewalled?
What is the basic TCP settings for CLOSE_WAIT timeout?
Do you have iptraf installed on this server?
You can look at the "general interface statistics" or "Detailed 
interface statistics" to identify couple things.

The iptraf tool can give you another angle on your network traffic(note 
that using it on a ssh can be confusing due to the ssh overhead usage of 
the link)

It can happen that squid server "slows" down the connection but not in 
most cases.

So we need: basic network diagram or "picture" like "a cable goes from 
this computer to this switch and from this switch to this router and 
from this router to this switch".
If you can add IP addresses it will help me to understand the big picture.

I am not sure yet what is the client IP and what is the speed between 
each connection and whether it's a full-duplex half-duplex or no-duplex 
support at all.
Are talking about a LAN traffic only? what about DNS and WAN traffic?

Thanks,
Eliezer

On 04/12/13 18:02, SaRaVanAn wrote:
> Hi All,
>     I need a help on this issue. On heavy network traffic with squid
> running, link bandwidth is not utilized properly.  If I bypass squid,
> my link bandwidth is utilized properly.
>
> Updated topology:
> =============
>                                                                    (10 Mbps Link)
> client< ------- > Squid Box <-------> Proxy client<------> Proxy
> server<---> webserver
>
> During problem scenario, I could see more tcp sessions with FIN_WAIT_1
> state in Proxy server . I also observed that Recv -q in CLOSE_WAIT
> state is getting increased in Squid Box. The number of tcp sessions
> from Squid to webserver are also getting dropped drastically.
>
> Squid.conf
> ========
> http_port 3128 tproxy transparent
> http_port 80 accel defaultsite=xyz.abc.com
> hierarchy_stoplist cgi-bin
> acl VIDEO url_regex ^http://fa\.video\.abc\.com
> cache allow VIDEO
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mem 100 MB
> cache_swap_low 70
> cache_swap_high 80
> maximum_object_size 51200 KB
> maximum_object_size_in_memory 10 KB
> ipcache_size 8192
> fqdncache_size 8192
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
> cache_dir aufs //var/logs/cache 6144 16 256
> access_log //var/logs/access.log squid
> cache_log //var/logs/cache.log
> cache_store_log none
> mime_table //var/opt/abs/config/acpu/mime.conf
> pid_filename //var/run/squid.pid
> refresh_pattern -i fa.video.abc.com/* 600 0% 600 override-expire
> override-lastmod reload-into-ims ignore-reload
> refresh_pattern -i video.abc.com/* 600 0% 600 override-expire
> override-lastmod reload-into-ims ignore-reload
> refresh_pattern -i media.abc.com/* 600 0% 600 override-expire
> override-lastmod reload-into-ims ignore-reload
> refresh_pattern -i xyz.abc.com/.*\.js 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i xyz.abc.com/.*\.gif 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i xyz.abc.com/.*\.jpg 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i xyz.abc.com/.*\.jpg 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i xyz.abc.com/.*\.png 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i xyz.abc.com/.*\.css 600 200% 600 override-expire
> override-lastmod reload-into-ims
> refresh_pattern -i ^http://.wsj./.*  10 200% 10 override-expire
> override-lastmod reload-into-ims ignore-reload
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 480 100% 480
> override-expire override-lastmod reload-into-ims
> refresh_pattern -i \.(htm|html|js|css)$ 480 100% 480 override-expire
> override-lastmod reload-into-ims
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> negative_ttl 1 minutes
> positive_dns_ttl 1800 seconds
> forward_timeout 2 minutes
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> acl video_server dstdomain cs.video.abc.com
> always_direct allow video_server
> acl PURGE method PURGE
> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT all
> http_access allow all
> icp_access allow all
> tcp_outgoing_address 172.19.134.2
> visible_hostname 172.19.134.2
> server_persistent_connections off
> logfile_rotate 1
> error_maphttp://localhost:1000/abp/squidError.do  404
> memory_pools off
> store_objects_per_bucket 100
> strip_query_terms off
> coredump_dir //var/cache
> store_dir_select_algorithm round-robin
> cache_peer 172.19.134.2 parent 1000 0 no-query no-digest originserver
> name=aportal
> cache_peerwww.abc.com  parent 80 0 no-query no-digest originserver name=dotcom
> cache_peer guides.abc.com parent 80 0 no-query no-digest originserver
> name=travelguide
> cache_peer selfcare.abc.com parent 80 0 no-query no-digest
> originserver name=selfcare
> cache_peer abcd.mediaroom.com parent 80 0 no-query no-digest
> originserver name=mediaroom
> acl webtrends url_regex ^http://statse\.webtrendslive\.com
> acl the_host dstdom_regex xyz\.abc\.com
> acl abp_regex url_regex ^http://xyz\.abc\.com/abp
> acl gbp_regex url_regex ^http://xyz\.abc\.com/gbp
> acl abcdstatic_regex url_regex ^http://xyz\.goginflight\.com/static
> acl dotcom_regex url_regex ^www\.abc\.com
> acl dotcomstatic_regex url_regex ^www\.abc\.com/static
> acl travelguide_regex url_regex ^http://guides\.abc\.com
> acl selfcare_regex url_regex ^http://selfcare\.abc\.com
> acl mediaroom_regex url_regex ^http://abcd\.mediaroom\.com
> never_direct allow abp_regex
> cache_peer_access aportal allow abp_regex
> acl PURGE method PURGE
> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT all
> http_access allow all
> icp_access allow all
> tcp_outgoing_address 172.19.134.2
> visible_hostname 172.19.134.2
> server_persistent_connections off
> logfile_rotate 1
> error_maphttp://localhost:1000/abp/squidError.do  404
> memory_pools off
> store_objects_per_bucket 100
> strip_query_terms off
> coredump_dir //var/cache
> store_dir_select_algorithm round-robin
> cache_peer 172.19.134.2 parent 1000 0 no-query no-digest originserver
> name=aportal
> cache_peerwww.abc.com  parent 80 0 no-query no-digest originserver name=dotcom
> cache_peer guides.abc.com parent 80 0 no-query no-digest originserver
> name=travelguide
> cache_peer selfcare.abc.com parent 80 0 no-query no-digest
> originserver name=selfcare
> cache_peer abcd.mediaroom.com parent 80 0 no-query no-digest
> originserver name=mediaroom
> acl webtrends url_regex ^http://statse\.webtrendslive\.com
> acl the_host dstdom_regex xyz\.abc\.com
> acl abp_regex url_regex ^http://xyz\.abc\.com/abp
> acl gbp_regex url_regex ^http://xyz\.abc\.com/gbp
> acl abcdstatic_regex url_regex ^http://xyz\.goginflight\.com/static
> acl dotcom_regex url_regex ^www\.abc\.com
> acl dotcomstatic_regex url_regex ^www\.abc\.com/static
> acl travelguide_regex url_regex ^http://guides\.abc\.com
> acl selfcare_regex url_regex ^http://selfcare\.abc\.com
> acl mediaroom_regex url_regex ^http://abcd\.mediaroom\.com
> never_direct allow abp_regex
> cache_peer_access aportal allow abp_regex
> acl PURGE method PURGE
> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT all
> http_access allow all
> icp_access allow all
> tcp_outgoing_address 172.19.134.2
> visible_hostname 172.19.134.2
> server_persistent_connections off
> logfile_rotate 1
> error_maphttp://localhost:1000/abp/squidError.do  404
> memory_pools off
> store_objects_per_bucket 100
> strip_query_terms off
> coredump_dir //var/cache
> store_dir_select_algorithm round-robin
> cache_peer 172.19.134.2 parent 1000 0 no-query no-digest originserver
> name=aportal
> cache_peerwww.abc.com  parent 80 0 no-query no-digest originserver name=dotcom
> cache_peer guides.abc.com parent 80 0 no-query no-digest originserver
> name=travelguide
> cache_peer selfcare.abc.com parent 80 0 no-query no-digest
> originserver name=selfcare
> cache_peer abcd.mediaroom.com parent 80 0 no-query no-digest
> originserver name=mediaroom
> acl webtrends url_regex ^http://statse\.webtrendslive\.com
> acl the_host dstdom_regex xyz\.abc\.com
> acl abp_regex url_regex ^http://xyz\.abc\.com/abp
> acl gbp_regex url_regex ^http://xyz\.abc\.com/gbp
> acl abcdstatic_regex url_regex ^http://xyz\.goginflight\.com/static
> acl dotcom_regex url_regex ^www\.abc\.com
> acl dotcomstatic_regex url_regex ^www\.abc\.com/static
> acl travelguide_regex url_regex ^http://guides\.abc\.com
> acl selfcare_regex url_regex ^http://selfcare\.abc\.com
> acl mediaroom_regex url_regex ^http://abcd\.mediaroom\.com
> never_direct allow abp_regex
> cache_peer_access aportal allow abp_regex
> cache_peer_access aportal allow abp_regex
> cache_peer_access dotcom allow dotcom_regex
> cache_peer_access dotcom allow dotcomstatic_regex
> cache_peer_access travelguide allow travelguide_regex
> cache_peer_access selfcare allow selfcare_regex
> cache_peer_access mediaroom allow mediaroom_regex
> cache deny webtrends
>
> Do i need to tune squid.conf / tcp parameters in order to address this issue?
> Please share your suggestions on this.
>
> Regards,
> Saravanan N