[squid-users] TCP_MISS followed by multiple TCP_DENIED

I'm having a problem with a lot of timeouts or failures to connect to a
particular website. A typical section of the log is as follows:
 
1229617601.885 156 192.168.1.1 TCP_MISS/200 39 CONNECT
web.site.com:443 domain\user DIRECT/170.146.245.34 -
1229617603.854 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
web.site.com:443 - NONE/- text/html
1229617603.869 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
web.site.com:443 - NONE/- text/html
1229617605.619 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
web.site.com:443 - NONE/- text/html
1229617605.619 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
web.site.com:443 - NONE/- text/html
1229617666.368 62499 192.168.1.1 TCP_MISS/200 56565 CONNECT
web.site.com:443 domain\user DIRECT/170.146.245.34 -
1229617671.352 65733 192.168.1.1 TCP_MISS/200 8176 CONNECT
web.site.com:443 domain\user DIRECT/170.146.245.34 -
1229617683.118 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
web.site.com:443 - NONE/- text/html
1229617683.118 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
web.site.com:443 - NONE/- text/html
1229617689.508 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
web.site.com:443 - NONE/- text/html
1229617689.508 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
web.site.com:443 - NONE/- text/html
1229617756.007 72889 192.168.1.1 TCP_MISS/200 338369 CONNECT
web.site.com:443 domain\user DIRECT/170.146.245.34 -
1229617761.007 71499 192.168.1.1 TCP_MISS/200 159880 CONNECT
web.site.com:443 domain\user DIRECT/170.146.245.34 -
1229617826.881 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
web.site.com:443 - NONE/- text/html
1229617826.881 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
web.site.com:443 - NONE/- text/html
 
We're using NTLM authentication for outgoing connections and at first I
thought perhaps the above was the three connections something I'd heard
about NTLM, but if I check again something like google.com then I see
only username after username, no multiple denied entries.
 
I've spoken to the vendor and they say there's nothing special about the
page, it's an HTTPS logon page. Checking then ntlmauthenticator shows
there have been three periods over the course of the day where we had an
authentication backlog, but that's it. Is that the likely cause?
Performance wise everything is fine with squid.
 
This is under squid 2.7 STABLE5
 

Paul Cocker

TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Received on Thu Dec 18 2008 - 17:59:55 MST