On 16.10.24 13:43, Piana, Josh wrote:
I have the firewalld service disabled. I'm running RHEL 9.4, if that helps at all.
try running:
iptables -L -n -v
iptables -t nat -L -n -v
or
nft list tables
nft list table ip filter
to see if you have any rules that block outgoing traffic.
Perhaps you can check
sysctl net.ipv4.tcp_ecn
and set it to '0' if it helps.
Would a PAC file make a difference in the connection to the firewall? When comparing our old squidbox to the one I'm setting up, that's one of the outliers.
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, October 16, 2024 7:56 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access a device over port 4434
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 15.10.24 20:39, Piana, Josh wrote:
Thank you for getting back to me and clarifying.
I ran this command:
#wget -Y off 172.27.46.253
Response:
--2024-10-15 16:36:15--
http://172.0.0.27/
.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646765494
659492%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sCSTJ4aE8Rl8UXz64cq6m%2Fl
1h0YgtzDXjRrTJj3nmZk%3D&reserved=0
Connecting to 172.27.46.253:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location:
https://172.0.0.2/
7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864676549
4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86W
VcspT6kL3oLDWE4cGHk%3D&reserved=0 [following]
--2024-10-15 16:36:15--
https://172.0.0.2/
7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864676549
4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86W
VcspT6kL3oLDWE4cGHk%3D&reserved=0
Connecting to 172.27.46.253:443... connected.
ERROR: The certificate of '172.27.46.253' is not trusted.
ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
The certificate's owner does not match hostname '172.27.46.253'
When I tried using port 4434, the wget command just times out.
this means that your squid machine is apparently blocked from connecting to remote host on port 4434.
Either that host blocked connections from your squid machine, or your squid machine (or any device on your network) has firewall rule that prevent this.
This it not a squid error.
Do you have local firewall on your squid machine?
So with the errors given, would that stop us from connecting to it?
Typically with sites with trust issues or certification issues, you
can still bypass it. We'd like to do the same here if applicable.
On 11/10/24 07:21, Piana, Josh wrote:
I apologize, I was unable to read any of the links that were
responded with because our environment appended the "
eur02.safelinks.protection.outlook.com..." Outlook protection. Did
you see that as well on your side? When I did click the links to
view them is just stated as failed.
What I gather from what you said was that, it's not likely Squid is
the issue. Even when we bypass Squid it does work. FWIW, it's
possible that there is some other network problem coming into play here on our side.
Though I did try to verify there's now blockages from the firewall,
the networks, the traffic, etc.
FTR; the critical detail in what Matus wrote was that the "wget" (or
curl if you prefer) connection test **must** be performed
A) on the Squid machine,
B) using the same low-privileges user account that Squid runs with,
D) to the same server IP address Squid is trying to contact.
That ensures the TCP connection privileges are as close to identical to what Squid is doing.
Running it from another machine and/or user account may encounter
different firewall or routing behaviour that hides the real issue.
If that test provides a successful TCP connection, *and* HTTP response
message the next step is to
Also, FYI; your custom change to the timestamp has somehow lost the
"duration" value, so I/we cannot tell if this was a probable TCP
FIN/RST (hint of firewall problem) or a SYN+ACK timeout (hint of routing problem).
I suppose from here I'll try to troubleshoot other things.
Alternatively, do you think I should try to create an ACL which bypasses any filters or rules to that network?
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On
Behalf Of Matus UHLAR - fantomas
Sent: Thursday, October 10, 2024 3:21 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access a device over port 4434
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 09.10.24 19:59, Piana, Josh wrote:
I'm running into an issue wherein, when using Squid proxy, I'm unable to get to one of our management devices from port 4434.
I've already verified that this device is not blocking access from the proxy directly, and should be allowed to get to the access page.
- When reviewing the access logs, I can see that we're running into a generic 503 error
- When browsing to this page, it will attempt to load for about 30 seconds, and then fail
- The webpage response is a generic "The system returned: (110) Connection timed out"
- When we forgo the proxy, we can access it without an issue
This device is located on a 172.0.0.0/8 internal network.
- Other devices which do NOT use this port are accessible
- Changing the access port is not an option (not up to me)
Access Log entry:
09/Oct/2024:15:54:21 -0400.758 10.46.49.190 TCP_MISS/503 4448 GET
http://0.0.0.172/.
0.0.27%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b118e55c63c42ed3
d
e908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864206
7
356048064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
I
iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=JIO8AKoz7QPe1%2BD
G
Mza7mltOnSfvf2eHAEfubJx%2FLaY%3D&reserved=0
.46.253%3A4434%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cad6b9a6df
5
da
44a2b73508dce8fc1971%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63
8
64
1416681623895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
l
uM
zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=G%2FrqNK0o%2Bdk
0
ia
zrnMhbyTvL0RmZAK27lulhMBhPMDU%3D&reserved=0 jpiana \
HIER_DIRECT/172.27.46.253 text/html ERR_CONNECT_FAIL/WITH_SERVER
I guess the correct URL is:
http://0.0.0.172/.
0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVmn
JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b1
1
8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7
C
0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
J
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShvv
J
uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
have you tried running following directly from the squid machine?
wget -Y off
http://0.0.0.172/.
0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVmn
JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b1
1
8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7
C
0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
J
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShvv
J
uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
Because ERR_CONNECT_FAIL/WITH_SERVER and "Connection timed out" both say that the squid was unable to open connection to server.
which is not a squid issue but network connection issue.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
