Re: [squid-users] site works unproxied but "conn reset by peer" via squid

From: sla <>
Date: Sun, 29 Feb 2004 17:52:29 +0530

Dear Adam,


echo 0 > /proc/sys/net/ipv4/tcp_ecn on the squid box
may be this could help.

----- Original Message -----
From: "Adam" <>
To: <>
Sent: Saturday, February 28, 2004 6:46 AM
Subject: [squid-users] site works unproxied but "conn reset by peer" via

> Hello,
> We have a problem for which I was unable to find an explanation or
> via the list archives or FAQ: We are able to access the site
> (don't ask - we just support the users :) unproxied
> (directly through our Pix firewall) but when going through our Squid
> 2.5STABLE3 proxy it takes forever to time out, then gives this error:
> "While trying to retrieve the URL:
> The following error was encountered:
> Read Error
> The system returned: (131) Connection reset by peer
> An error condition occurred while reading data from the network "
> Their server is running IIS 5 per netcraft and the site of the people who
> did their site for them (and I think host it) also fails:
> Hitting sub-links like
> or
> just /images pulls up responses so their server works and our server can
> talk to them. Perhaps it is something with their ASP pages but then if
> is the case I am wondering why Squid can't talk to them
> Checking the archives, most "connection reset by peer" posts resolve with
> "ignore them." As to the FAQ, 11.41 also says this and says that if
> is a M$oft server then the server may just be really busy. If that were
> case, why would it be very zippy unproxied? 17.10 looks interesting but I
> have been assured that we are not using Cisco policy routing so don't
> it applies. For the record, the Pix guy also said that we have no "fixup"
> (e.g. to adjust destination port addresses) and no filter (we are not
> filtering Active X or anything
> It used to work and it's a pretty vanilla installation. We have about
> users and 99% of the other sites are working fine. Everyone has the
> address hardcoded in their browser and the proxy goes out directly (no
> peers/parents). The only non-standard thing I can think of that we do
> I use the tcp_outgoing_address to split half our VLANs onto one T1 and the
> other half onto the other. This is quite old and we haven't changed
> anything on Squid in a while. The only change we've made since this broke
> Feb 5th is we switched from a Checkpoint Firewall to the Pix firewall (no
> content-engines, just the firewall). So I searched for that as that is
> only new change but searching for Pix shows problems with WCCP and
> Transparent proxying but we are using neither. Furthermore we are using
> Solaris 2.8 on an Ultra 60 so the ECN problems I also saw wouldn't seem to
> apply. Some issue on routing came up so I am asking the network group to
> look into routing but if we can get so some sub-pages (see below) and the
> whole site unproxied, I don't think that is the issue.
> I am 1 rev behind Stable3 instead of 4, but I didn't see anything specific
> to this kind of problem in the change_log, except possibly :
> "Bug #699: Host header now forwarded exactly where it was in the original
> request to work around certain broken firewalls or load balancers which
> fail if this header is too far into the request headers." I am not
> of an expert to know if that is the fix or not and will try up-revving if
> you think that might work but I don't think that is the source of the
> problem. Then again I am stumped so willing to try anything (we have a
> Squid proxy that is identical to the other, so I am working on that. I
> tried clearing the cache (echo "" > swap.state method) and adding
> to the notcached directive (restarting each time) and both
> failed to resolve the problem.
> Anyhow sorry for the lengthy post but I wanted to be clear on what I had
> checked and what I have. So if you have any ideas or suggestions, I
> be most appreciative.
> thanks,
> Adam
Received on Sun Feb 29 2004 - 18:25:33 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST