On Wednesday 26 February 2014 at 11:40:59, Paul Carew wrote:
> Thanks Amos.
>
> This is now resolved and appears to have been related to iptables on
> the upstream Squid server.
>
> Originally I was accepting --state NEW connections only on the
> upstream Squid server's iptables configuration. By removing the
> --state NEW component and just accepting all tcp connections between
> the relevant IP addresses and ports all of the connection failed error
> messages have vanished from Squid's cache logs.
I assume you mean you were accepting both NEW and ESTABLISHED?
> I'll look into iptables as I'm puzzled why it would block a SYN packet
> on a --state NEW rule match.
--state NEW would not block SYN, but it would block ACK and SYN,ACK
You'd need --state ESTABLISHED to allow those through.
Hope that helps,
Antony.
--
All matter in the Universe can be placed into one of two categories:
1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with
them.
Please reply to the list;
please don't CC me.
