Re: [squid-users] Single slow site from Michael Hendrie on 2011-09-12 (squid-users)

From: Michael Hendrie <michael_at_hendrie.id.au>
Date: Tue, 13 Sep 2011 10:40:31 +0930

On 09/09/2011, at 4:37 PM, Amos Jeffries wrote:

> On 09/09/11 18:15, Michael Hendrie wrote:
>>
>> On 09/09/2011, at 12:34 PM, John Kenyon wrote:
>>
>>> Hi All,
>>>
>>> I am experiencing a slow down on one particular site:
>>> https://www.my.commbank.com.au/netbank/Logon/Logon.aspx
>>>
>>> I can access this web site fine however it takes approx. 30 seconds
>>> to load, and if I bypass squid it takes 1 second.
>>>
>>> Currently running version 3.1.15, can someone point me in the right
>>> direct to further troubleshoot this one?
>>>
>>> Cheers,
>>>
>>> JLK
>>
>> I had the exact same problem with with 3.1.10. In my case it was an
>> IPv6 problem so I compiled squid with --disable-ipv6 as I didn't need
>> it. There are a number of other ways to overcome the problem if you
>> look through the mail archives
>> (http://www.squid-cache.org/mail-archive/squid-users/201101/0344.html)
>> or google.
>>
>
> Well, considering this is .AU *do* need it, and soonish.
>
> Michael;
> If disabling IPv6 entirely solves your problem, then the problem is in the IPv6 setup. When its one particular site like this its probably at or close to their end. Hanging/Pausing connections could be:
> - DNS lag from resolvers failing to respond the same for A and AAAA,
> - ICMP loss from ISP who still think its safe to drop them, or tunnels with too-big MTU configuration.
> - PMTUD failures from lost ICMP messages.

I understand and wasn't pointing the finger at squid as being the cause of the problem, simply offering a place to start looking based on my experience with this same site.

In my environment it was much easier to recompile squid with --disable-ipv6 as there is no need for it (at this point in time) and a lot quicker than tracking down where else in the network, which is beyond my control, the problem is occurring.

> That said, I checked from here across the ditch and its seems to be an IPv4-only site. So none of that applies.
>
>
> John;
> being https:// Squids only involvement is limited to being told an IP/domain to connect to and start forwarding packets there.
> I'm more inclined to suspect the bank is doing some extra validation in the background when it detects the end user is not at the IP the request is coming from.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.15
> Beta testers wanted for 3.2.0.11

application/pkcs7-signature attachment: smime.p7s

Received on Tue Sep 13 2011 - 01:10:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2011 - 12:00:02 MDT