Re: [squid-users] Slow connection through proxy from Chris Robertson on 2007-08-09 (squid-users)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 09 Aug 2007 17:07:26 -0800

Julian Pilfold-Bagwell wrote:
> Hi All,
>
> I have a problem with my proxy and Windows clients on certain ip
> ranges on my network.
>
> I've just upgraded my network from a single LDAP/Samba server running
> on Mandriva 2007 to a dual redundant setup with DNS, NTP and LDAP
> master/slave on two servers with a seperate PDC and BDC pair
> authenticating and providing file shares. Authentication on the
> network for users is fast as lightning. On the old network I had a
> Mandriva 2007 box with Squid proxying and NTLM auth and this machine
> has been moved to the new setup. Clients are spread across three IP
> ranges 172.20.0., 172.20.1. and 172.20.2. with the 0 range being
> assigned static IPs and the one and two ranges collecting an IP from
> DHCPD.
>
> If I connect a client to the network, it obtains an address from the
> DHCP server along with DNS, gateway and WINS server settings but the
> connection via Squid is slow e.g. 30-120 seconds to obtain a page. If
> I take the settings from ipconfig and enter them manually but with an
> IP in the 172.20.0 range, it works perfectly with pages appearing
> withing 1-2 seconds.

Perhaps it's an issue with reverse DNS for the 172.20.1.0/23 subnet.
Squid is trying to perform reverse DNS lookups on clients on that
netblock and is hanging there...

>
> nslookup returns IP's within a second on the proxy and clients and
> su'ing to a user account on the proxy takes a split second, suggesting
> that nss and pam_smb are authenticating OK.

If you've specified that the clients use proxy, their access to DNS
should have little effect on surfing speed (baring client proxy exceptions).

>
> On the old network, the proxy worked fine across al three IP ranges,
> on the new it behaves as above. Is there anywhere I should be looking
> in particular for clues to this one.

Watch a network trace between a DHCP client and the proxy. Check the
access.log for how long it takes to "register" the completed request
(and how long the request took to complete). Check to see if the proxy
server an perform RDNS queries on all three subnets.

> I'll be out of the office until Monday but I'll check the mail as soon
> as I can for a reply.
>
> Many thanks,
>
> Julian PB

Chris
Received on Thu Aug 09 2007 - 19:07:40 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT