Hello,
After running the below commands, I did restart squid and tested again. No luck.
Here's the outputs:
# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# nft list tables
No output
# nft list table ip filter
Error: No such file or directory
list table ip filter
^^^^^^
# they also recommended changing sysctl "net.ipv4.tcp_ecn" to '0'
# sysctl net.ipv4.tcp_ecn=0
# confirm
# sysctl net.ipv4.tcp_ecn
net.ipv4.tcp_ecn = 0
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas
Sent: Wednesday, October 16, 2024 10:22 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Unable to access a device over port 4434
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 16.10.24 13:43, Piana, Josh wrote:
>I have the firewalld service disabled. I'm running RHEL 9.4, if that helps at all.
try running:
iptables -L -n -v
iptables -t nat -L -n -v
or
nft list tables
nft list table ip filter
to see if you have any rules that block outgoing traffic.
Perhaps you can check
sysctl net.ipv4.tcp_ecn
and set it to '0' if it helps.
>Would a PAC file make a difference in the connection to the firewall? When comparing our old squidbox to the one I'm setting up, that's one of the outliers.
>
>-----Original Message-----
>From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf
>Of Matus UHLAR - fantomas
>Sent: Wednesday, October 16, 2024 7:56 AM
>To: squid-users@xxxxxxxxxxxxxxxxxxxxx
>Subject: Re: Unable to access a device over port 4434
>
>Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
>On 15.10.24 20:39, Piana, Josh wrote:
>>Thank you for getting back to me and clarifying.
>>
>>I ran this command:
>>#wget -Y off 172.27.46.253
>>
>>Response:
>>--2024-10-15 16:36:15--
>>http://172.0.0.0/
>>.0.27%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cd2249de85af44bb88a54
>>08dcedede8ac%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646853309
>>547280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uWbfuyJ3g2FpvW5zYMENOxT
>>oBtJ1MqGcfTgIcXqGEio%3D&reserved=0
>>.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
>>f
>>708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864676549
>>4
>>659492%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>B
>>TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sCSTJ4aE8Rl8UXz64cq6m%2F
>>l
>>1h0YgtzDXjRrTJj3nmZk%3D&reserved=0
>>Connecting to 172.27.46.253:80... connected.
>>HTTP request sent, awaiting response... 301 Moved Permanently
>>Location:
>>https://0.0.0.172/.
>>0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cd2249de85af44bb88a54
>>08dcedede8ac%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646853309
>>547280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oEZ%2BRcksjEMiCcf6pyLHV
>>f3Jf6MfA164yIiQL3Q9vcg%3D&reserved=0
>>7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec
>>7
>>f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
>>9
>>4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
>>J
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86
>>W
>>VcspT6kL3oLDWE4cGHk%3D&reserved=0 [following]
>>--2024-10-15 16:36:15--
>>https://0.0.0.172/.
>>0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cd2249de85af44bb88a54
>>08dcedede8ac%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646853309
>>547280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oEZ%2BRcksjEMiCcf6pyLHV
>>f3Jf6MfA164yIiQL3Q9vcg%3D&reserved=0
>>7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec
>>7
>>f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
>>9
>>4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
>>J
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86
>>W
>>VcspT6kL3oLDWE4cGHk%3D&reserved=0
>>Connecting to 172.27.46.253:443... connected.
>>ERROR: The certificate of '172.27.46.253' is not trusted.
>>ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
>>The certificate's owner does not match hostname '172.27.46.253'
>>
>>When I tried using port 4434, the wget command just times out.
>
>this means that your squid machine is apparently blocked from connecting to remote host on port 4434.
>
>Either that host blocked connections from your squid machine, or your squid machine (or any device on your network) has firewall rule that prevent this.
>
>This it not a squid error.
>
>Do you have local firewall on your squid machine?
>
>
>>So with the errors given, would that stop us from connecting to it?
>> Typically with sites with trust issues or certification issues, you
>>can still bypass it. We'd like to do the same here if applicable.
>
>>On 11/10/24 07:21, Piana, Josh wrote:
>>> I apologize, I was unable to read any of the links that were
>>> responded with because our environment appended the "
>>> eur02.safelinks.protection.outlook.com..." Outlook protection. Did
>>> you see that as well on your side? When I did click the links to
>>> view them is just stated as failed.
>>>
>>> What I gather from what you said was that, it's not likely Squid is
>>> the issue. Even when we bypass Squid it does work. FWIW, it's
>>> possible that there is some other network problem coming into play here on our side.
>>> Though I did try to verify there's now blockages from the firewall,
>>> the networks, the traffic, etc.
>
>
>>FTR; the critical detail in what Matus wrote was that the "wget" (or
>>curl if you prefer) connection test **must** be performed
>> A) on the Squid machine,
>> B) using the same low-privileges user account that Squid runs with,
>> D) to the same server IP address Squid is trying to contact.
>>
>>That ensures the TCP connection privileges are as close to identical to what Squid is doing.
>>
>>Running it from another machine and/or user account may encounter
>>different firewall or routing behaviour that hides the real issue.
>>
>>If that test provides a successful TCP connection, *and* HTTP response
>>message the next step is to
>>
>>
>>Also, FYI; your custom change to the timestamp has somehow lost the
>>"duration" value, so I/we cannot tell if this was a probable TCP
>>FIN/RST (hint of firewall problem) or a SYN+ACK timeout (hint of routing problem).
>
>>> I suppose from here I'll try to troubleshoot other things.
>>>
>>> Alternatively, do you think I should try to create an ACL which bypasses any filters or rules to that network?
>>>
>>> -----Original Message-----
>>> From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On
>>> Behalf Of Matus UHLAR - fantomas
>>> Sent: Thursday, October 10, 2024 3:21 AM
>>> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
>>> Subject: Re: Unable to access a device over port 4434
>>>
>>> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>> On 09.10.24 19:59, Piana, Josh wrote:
>>>> I'm running into an issue wherein, when using Squid proxy, I'm unable to get to one of our management devices from port 4434.
>>>>
>>>> I've already verified that this device is not blocking access from the proxy directly, and should be allowed to get to the access page.
>>>>
>>>> - When reviewing the access logs, I can see that we're running into a generic 503 error
>>>>
>>>> - When browsing to this page, it will attempt to load for about 30 seconds, and then fail
>>>>
>>>> - The webpage response is a generic "The system returned: (110) Connection timed out"
>>>>
>>>> - When we forgo the proxy, we can access it without an issue
>>>>
>>>> This device is located on a 172.0.0.0/8 internal network.
>>>>
>>>> - Other devices which do NOT use this port are accessible
>>>>
>>>> - Changing the access port is not an option (not up to me)
>>>>
>>>> Access Log entry:
>>>> 09/Oct/2024:15:54:21 -0400.758 10.46.49.190 TCP_MISS/503 4448 GET
>>>> http://0.0.0.172/.
>>>> 0.0.27%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b118e55c63c42ed
>>>> 3
>>>> d
>>>> e908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386420
>>>> 6
>>>> 7
>>>> 356048064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
>>>> z
>>>> I
>>>> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=JIO8AKoz7QPe1%2B
>>>> D
>>>> G
>>>> Mza7mltOnSfvf2eHAEfubJx%2FLaY%3D&reserved=0
>>>> .46.253%3A4434%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cad6b9a6d
>>>> f
>>>> 5
>>>> da
>>>> 44a2b73508dce8fc1971%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6
>>>> 3
>>>> 8
>>>> 64
>>>> 1416681623895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
>>>> 2
>>>> l
>>>> uM
>>>> zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=G%2FrqNK0o%2Bd
>>>> k
>>>> 0
>>>> ia
>>>> zrnMhbyTvL0RmZAK27lulhMBhPMDU%3D&reserved=0 jpiana \
>>>> HIER_DIRECT/172.27.46.253 text/html ERR_CONNECT_FAIL/WITH_SERVER
>>>
>>>
>>> I guess the correct URL is:
>>> http://0.0.0.172/.
>>> 0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
>>> f
>>> 708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646765
>>> 4
>>> 94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
>>> i
>>> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVm
>>> n
>>> JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
>>> 7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b
>>> 1
>>> 1
>>> 8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%
>>> 7
>>> C
>>> 0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
>>> C
>>> J
>>> QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShv
>>> v
>>> J
>>> uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
>>>
>>> have you tried running following directly from the squid machine?
>>>
>>> wget -Y off
>>> http://0.0.0.172/.
>>> 0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
>>> f
>>> 708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646765
>>> 4
>>> 94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
>>> i
>>> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVm
>>> n
>>> JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
>>> 7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b
>>> 1
>>> 1
>>> 8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%
>>> 7
>>> C
>>> 0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
>>> C
>>> J
>>> QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShv
>>> v
>>> J
>>> uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
>>>
>>>
>>> Because ERR_CONNECT_FAIL/WITH_SERVER and "Connection timed out" both say that the squid was unable to open connection to server.
>>>
>>> which is not a squid issue but network connection issue.
>
>--
>Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ;
>http://www.fa/
>ntomas.sk%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cd2249de85af44bb88
>a5408dcedede8ac%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386468533
>09703536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
>JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=T19avBdAJ6vkjjhR6dd18%2
>FML8ACfEgRrAqYl57NrCPQ%3D&reserved=0
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>"Two words: Windows survives." - Craig Mundie, Microsoft senior
>strategist "So does syphillis. Good thing we have penicillin." -
>Matthew Alton _______________________________________________
>squid-users mailing list
>squid-users@xxxxxxxxxxxxxxxxxxxxx
>https://lists/
>.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%40h
>excel.com%7Cd2249de85af44bb88a5408dcedede8ac%7C4248050df19546d5ac9c0c7c
>52b04cae%7C0%7C0%7C638646853309703536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&
>sdata=vCYNM0Z%2F%2F63m%2FkEbw2MB76%2FLD4K8EjEDYcX8R7qubSU%3D&reserved=0
>_______________________________________________
>squid-users mailing list
>squid-users@xxxxxxxxxxxxxxxxxxxxx
>https://lists/
>.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%40h
>excel.com%7Cd2249de85af44bb88a5408dcedede8ac%7C4248050df19546d5ac9c0c7c
>52b04cae%7C0%7C0%7C638646853309703536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&
>sdata=vCYNM0Z%2F%2F63m%2FkEbw2MB76%2FLD4K8EjEDYcX8R7qubSU%3D&reserved=0
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
