[squid-users] site works unproxied but "conn reset by peer" via squid

Hello,

We have a problem for which I was unable to find an explanation or solution
via the list archives or FAQ: We are able to access the site
www.calottery.com (don't ask - we just support the users :) unproxied
(directly through our Pix firewall) but when going through our Squid
2.5STABLE3 proxy it takes forever to time out, then gives this error:
"While trying to retrieve the URL: http://www.calottery.com/
The following error was encountered:
Read Error
The system returned: (131) Connection reset by peer
An error condition occurred while reading data from the network "

Their server is running IIS 5 per netcraft and the site of the people who
did their site for them (and I think host it) also fails: www.jel.net.
Hitting sub-links like
http://www.calottery.com/images/games/superlottoplus/superlottoplus.asp or
just /images pulls up responses so their server works and our server can
talk to them. Perhaps it is something with their ASP pages but then if that
is the case I am wondering why Squid can't talk to them

Checking the archives, most "connection reset by peer" posts resolve with
"ignore them." As to the FAQ, 11.41 also says this and says that if this
is a M$oft server then the server may just be really busy. If that were the
case, why would it be very zippy unproxied? 17.10 looks interesting but I
have been assured that we are not using Cisco policy routing so don't think
it applies. For the record, the Pix guy also said that we have no "fixup"
(e.g. to adjust destination port addresses) and no filter (we are not
filtering Active X or anything

It used to work and it's a pretty vanilla installation. We have about 2000
users and 99% of the other sites are working fine. Everyone has the proxy's
address hardcoded in their browser and the proxy goes out directly (no
peers/parents). The only non-standard thing I can think of that we do is
I use the tcp_outgoing_address to split half our VLANs onto one T1 and the
other half onto the other. This is quite old and we haven't changed
anything on Squid in a while. The only change we've made since this broke
Feb 5th is we switched from a Checkpoint Firewall to the Pix firewall (no
content-engines, just the firewall). So I searched for that as that is the
only new change but searching for Pix shows problems with WCCP and
Transparent proxying but we are using neither. Furthermore we are using
Solaris 2.8 on an Ultra 60 so the ECN problems I also saw wouldn't seem to
apply. Some issue on routing came up so I am asking the network group to
look into routing but if we can get so some sub-pages (see below) and the
whole site unproxied, I don't think that is the issue.

I am 1 rev behind Stable3 instead of 4, but I didn't see anything specific
to this kind of problem in the change_log, except possibly :
"Bug #699: Host header now forwarded exactly where it was in the original
request to work around certain broken firewalls or load balancers which
fail if this header is too far into the request headers." I am not enough
of an expert to know if that is the fix or not and will try up-revving if
you think that might work but I don't think that is the source of the
problem. Then again I am stumped so willing to try anything (we have a DEV
Squid proxy that is identical to the other, so I am working on that. I
tried clearing the cache (echo "" > swap.state method) and adding
calottery.com to the notcached directive (restarting each time) and both
failed to resolve the problem.

Anyhow sorry for the lengthy post but I wanted to be clear on what I had
checked and what I have. So if you have any ideas or suggestions, I would
be most appreciative.

thanks,

Adam
Received on Fri Feb 27 2004 - 18:53:54 MST