Re: [squid-users] Enc: failure notice

>Probably you are running short on filedescriptors. There is a threshold
of
>50% used filedescriptors above which Squid will refuse to support
>persistent connections. As you already know NTLM requires persistent
>connections due to design error in the NTLM over HTTP protocol.

>This threshold was introduced in 2.5.STABLE5:
>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE4-pconn-load

Hi Henrik;
Thanks for the reply, I think you discovered my problem. Just one thing
did not make sense, my squid runs almost all of the time above 50% of used
file descriptors with no problem. So I went to the bug #571 history
(http://www.squid-cache.org/bugs/show_bug.cgi?id=571) and discovered that
the actual threshold is 25% of available file descriptors or
ReservedFDs*2:

"------- Additional Comment #5 From Henrik Nordstrom 2003-12-14 04:44
[reply] -------
Created an attachment (id=285) [edit]
Proposed patch

This patch makes Squid stop using persistent connections if less than 25%
or
RESERVED_FD*2 filedescriptors free.
Also does the same on client-side persistent connections."

I have 1024 FDs and 100 reserved FDs, and I start to have problems above
800 used FDs, so I am almost completely sure that this is my problem.
Thanks again, Henrik!

Rafael Sarres de Almeida
Seção de Gerenciamento de Rede
Superior Tribunal de Justiça
Tel: (61) 319-9342

Henrik Nordstrom <hno@squid-cache.org>
19/06/2005 22:13

Para
Rafael.Almeida@stj.gov.br
cc
Squid Users <squid-users@squid-cache.org>
Assunto
Re: [squid-users] Enc: failure notice

On Fri, 17 Jun 2005 Rafael.Almeida@stj.gov.br wrote:

> Sometimes (during peak hours) our squid is closing the connection
> after receiving the NTLM type 2 message. The complete attempt is
described
>
> below:
> 1- IE sends a HTTP GET with no authentication
> 2- Squid answers with HTTP 407 and closes the connection (Proxy
> connection: close)
> 3- IE reopens the connection and sends a HTTP GET with NTLMv2 Type 1
> message
> 4- Squid answers with HTTP 407, the NTLM Type 2 message and closes the
> connection again: (Proxy connection: close)
> 5- IE tries to send NTLM Type3 message but a FIN packet was already sent
> by SQUID, and Squids answers with a reset.

Probably you are running short on filedescriptors. There is a threshold of

50% used filedescriptors above which Squid will refuse to support
persistent connections. As you already know NTLM requires persistent
connections due to design error in the NTLM over HTTP protocol.

This threshold was introduced in 2.5.STABLE5:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE4-pconn-load

It should be possible to refine this to work better together with NTLM
based on the knowledge that the connection MUST be kept for the next stage

of NTLM to complete.. If you feel this is required please file a bug
report.

Regards
Henrik
Received on Mon Jun 20 2005 - 09:06:11 MDT