Re: [squid-users] Connection Refused & Explicit Congestion Notification

From: Richard Riehle <rriehle@dont-contact.us>
Date: Fri, 06 Apr 2001 16:11:53 -0500 (CDT)

You're right, Joel: this has been fixed by some IDS vendors via recent software
releases. The sites I listed are either still running old software or
un-fixable IDS systems, I haven't tried to determine which. Also, in looking
back through the squid-users list archives it seems that some sites that
formerly had symptoms of this problem no longer do. They've probably upgraded
their IDS. Ether way, there are enough sites out there running bad IDS to force
me to shut off ECN on my Squid boxes and mail servers and news servers and....

 Cheers, Rick

Quoting Joel Jaeggli <joelja@darkwing.uoregon.edu>:

> cisco local-director and pix were big culprit in ecn related issues.
> but
> that's fixed in modern releases of the softtware for those platforms.
> so
> it might be useful to examine what sites still have this issue in more
> detail (are they using un-upgraded local-directors or is it boxes from
> other vedors for which there isn't a fix.
>
> joelja
>
> On Fri, 6 Apr 2001 rriehle@iris.it.luc.edu wrote:
>
> > Squid seems unable to access a number of sites including:
> > www.intel.com
> > www.chicagotribune.com
> > www.computerworld.com
> > www.techrepublic.com
> > www.zdnet.com
> > ...and the list goes on.
> >
> > These sites are most likely using an IDS system that is triggered by
> > TCP/IP stacks that implement ECN (Explicit Congestion Notification).
> > This is not a problem with Squid, but rather an apparent failure on
> > behalf of some IDS vendors to comply with RFCs and properly
> recognize
> > ECN. One workaround is to disable ECN within the TCP/IP stacks of
> > machines running Squid. On Linux this is easy.
> >

[snip]
Received on Fri Apr 06 2001 - 15:12:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:10 MST