Re: [squid-users] TCP_MISS followed by multiple TCP_DENIED

From: Chris Robertson <crobertson_at_gci.net>
Date: Thu, 18 Dec 2008 12:48:13 -0900

Paul Cocker wrote:
> I'm having a problem with a lot of timeouts or failures to connect to a
> particular website. A typical section of the log is as follows:
>
> 1229617601.885 156 192.168.1.1 TCP_MISS/200 39 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617603.854 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617603.869 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617605.619 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617605.619 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617666.368 62499 192.168.1.1 TCP_MISS/200 56565 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617671.352 65733 192.168.1.1 TCP_MISS/200 8176 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617683.118 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617683.118 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617689.508 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617689.508 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617756.007 72889 192.168.1.1 TCP_MISS/200 338369 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617761.007 71499 192.168.1.1 TCP_MISS/200 159880 CONNECT
> web.site.com:443 domain\user DIRECT/170.146.245.34 -
> 1229617826.881 0 192.168.1.1 TCP_DENIED/407 1740 CONNECT
> web.site.com:443 - NONE/- text/html
> 1229617826.881 0 192.168.1.1 TCP_DENIED/407 2016 CONNECT
> web.site.com:443 - NONE/- text/html
>
> We're using NTLM authentication for outgoing connections and at first I
> thought perhaps the above was the three connections something I'd heard
> about NTLM,

Likely you are referring to
http://squid.sourceforge.net/ntlm/client_proxy_protocol.html

> but if I check again something like google.com then I see
> only username after username, no multiple denied entries.
>

Check more of the log, and I'm sure you'll see 407s for google as well.
With client-side keep-alives you might not see many.

>
> I've spoken to the vendor and they say there's nothing special about the
> page, it's an HTTPS logon page. Checking then ntlmauthenticator shows
> there have been three periods over the course of the day where we had an
> authentication backlog, but that's it. Is that the likely cause?
>

I'd be inclined to say yes. At 1229617601.885 a SSL connection
terminated which had only lasted 156 ms and only transfered 39 bytes. A
bit short, but it exited with a 200 status code, so no real worries.
The rest of the TCP_MISS/200 requests are much more typical, the number
of extra TCP_DENIED/407 looks indicative of an overloaded NTLM
Authenticator.

> Performance wise everything is fine with squid.
>
> This is under squid 2.7 STABLE5
>
>
> Paul Cocker

Chris
Received on Thu Dec 18 2008 - 21:48:18 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 19 2008 - 12:00:02 MST