RE: [squid-users] 110 Timeouts

From: Damian-Grint, Philip <pdamian-grint@dont-contact.us>
Date: Wed, 22 May 2002 12:27:48 +0100

Henrik

It is a weird one... all our machines (500 or so) are behind the same
transparent firewall (Guardian 4).. I have the linux/squid box and the
proxied Win2k box at my desk, and I can type echo 1 >
/proc/sys/net/ipv4/tcp_timestamps at the Linux box and type in
www.marasystems.com on the win2k box ... nothing doing... echo 0 >
/proc/sys/net/ipv4/tcp_timestamps and retry on the Win2k machine... straight
through! I can enable/disable/enable ad infinitum and get it to happen every
time

tcp_ecn is off - and interestingly, I didn't disable it myself - but I
thought that 7.2 out of the box was supposed to have it enabled by default??

path to the Internet is Cisco 3524XL (VLAN10) - Cisco 2948G-L3 - Cisco
3524XL (VLAN1) - NT Firewall box - Cisco 1600 - ISP ... I can get any info
you like from these

here is snippet from my original trace taken on the same segment as the
squid box - however this is from Sniffer 2.1.. I will get a couple of
Ethereal or tcpdump snaps with and without the tcp_timestamps and post them
here later today... I suppose another logical check would be to get a trace
on the dirty side of the firewall as well

Regards

Phil DG

-----Original Message-----
From: Squid Support (Henrik Nordstrom) [mailto:hno@marasystems.com]
Sent: 21 May 2002 22:13
To: Damian-Grint, Philip; Squid-Users (E-mail)
Subject: Re: [squid-users] 110 Timeouts

Hmm.. I always have PAWS enabled (timestamp option, and the use of
it). Never experience any problems from it except for once some years
ago due to a malfunctioning Radware load balancer who corrupted the
timestamp option if both server and client supported timestamps.

Have no problem accessing any of the listed sites with timestamps
enabled.

Could there be something between you and the sites causing your
problems? Such as a malfunctioning load balancer, firewall,
incorrectly configured transparent proxy or anything similar?

btw: www.marasystems.com is running on Linux-2.4.X, Squid-2.5 and
Apache. And yes, PAWS is enabled but not ECN.

Regards
Henrik Nordström
MARA Systems AB <http://www.marasystems.com/>

On Tuesday 21 May 2002 16:41, Damian-Grint, Philip wrote:
> I thought I would share my experience of the seemingly obscure
> cause of this symptom.... as I can't believe that I am the only
> person who has had this problem...
>
> After comparing packet traces just using the bare telnet client
> from Linux to working and non-working sites, I found that the
> problem seemed to be linked to tcp_timestamps support:
>
> It seems that (my installation of) Linux 7.x has tcp_timestamps
> enabled and present in the outgoing SYN. Those sites which were
> having problems were responding with tcp_timestamps also present in
> the SYN/ACK TCP options, but there was must have been something
> about these which caused Linux to immediately send RST and start
> over again. Responding sites which didn't include tcp_timestamps in
> the options completed handshaking and continued as normal.
>
> When I set net.ipv4.tcp_timestamps = 0, the problem went
> away...(while I was there, and after it was working, I switched off
> tcp_window_scaling and tcp_sack just in case)
>
> I understand nothing, but it works now.
>
> If anyone can shed some light on what might be going on here, I
> would read with interest...
>
> Regards
>
> Phil DG
>
> -----Original Message-----
> From: Damian-Grint, Philip [mailto:pdamian-grint@collierscre.co.uk]
> Sent: 20 May 2002 23:59
> To: Squid-Users (E-mail)
> Subject: [squid-users] 110 Timeouts
>
>
> Hello,
>
> Perhaps this is one of those obvious newbie things that everyone
> gets when they start with Squid, but it seems that however I build
> my Squid server, I consistently get a number of (the same) sites
> which are unaccessible (response 110 timed out connection), but
> come up ok when I go direct... most sites are not a problem.
> Occasionally, one or two of these might come up after a long
> wait...
>
> Here are some examples of inaccessible urls:
> http://uk.greetings.yahoo.com
> http://www.baa.co.uk
> http://www.canon.co.uk
> http://www.gnupg.org
> http://www.marasystems.com
>
> yet for each of these there are many sites which have no problem at
> all... sometimes (apparently) even part of the same site for which
> I have problems in other parts of the site... e.g.
> www.bbc.co.uk/weather is fine, but www.bbc.co.uk/news or
> www.bbc.co.uk/sport will always time out (I think they both
> redirect to news.bbc.co.uk)
>
> Linux 7.2, Latest STABLE6 tarball, behind a transparent (Guardian)
> firewall with all outbound ports open for the squid server
>
> Is there something about the way these sites behave that I'm not
> handling properly... is there some specific information which would
> help further?
>
> Thankyou
>
> Phil DG
>
>
> ___________________________________________________________________
>_____ This e-mail has been scanned for all viruses by Star Internet.
> The service is powered by MessageLabs. For more information on a
> proactive anti-virus service working around the clock, around the
> globe, visit: http://www.star.net.uk
> ___________________________________________________________________
>_____
>
> ___________________________________________________________________
>_____ This e-mail has been scanned for all viruses by Star Internet.
> The service is powered by MessageLabs. For more information on a
> proactive anti-virus service working around the clock, around the
> globe, visit: http://www.star.net.uk
> ___________________________________________________________________
>_____

-- 
MARA Systems AB, Giving you basic free Squid support
Your source of advanced web reverse proxying solutions
http://www.marasystems.com/products/
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Wed May 22 2002 - 05:28:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:11 MST