[squid-users] Unable to access IIS site through squid3 from Fredrik Eriksson on 2011-11-29 (squid-users)

From: Fredrik Eriksson <fredrik.eriksson_at_axis.com>
Date: Tue, 29 Nov 2011 17:37:49 +0100

Hi,

We're trying to access the site www.usitc.gov through our squid3 servers, but only get timed out.

We are running squid 3.1.16-1 from debian wheezy on debian squeeze hosts.
Accessing the site through an old squid server, running squid 2.6.5-6etch5 on a debian etch host, works fine.

I've read these two

http://squidproxy.wordpress.com/2008/04/29/chunked-decoding/

http://squidproxy.wordpress.com/2007/06/05/thinsg-to-look-at-if-websites-are-hanging/

I have tried with

   acl broken dstdomain www.usitc.gov
   cache deny broken
   always_direct allow broken_gov

in various combinations with or without

net.ipv4.tcp_ecn = 0

net.ipv4.tcp_window_scaling = 0

and

default via <gw-ip> advmss 1160

with no cigar in sight.

Output from tcpdump on a squid3 host, trying to access the site through the proxy

squid3srv:~# tcpdump -v -i eth1 host www.usitc.gov
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:57:14.042959 IP (tos 0x0, ttl 64, id 1892, offset 0, flags [DF], proto TCP (6), length 56)
     squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [S], cksum 0xbf08 (correct), seq 3957670134, win 4640, options [mss 1160,sackOK,TS val 583485330 ecr 0], length 0
16:57:14.171013 IP (tos 0x0, ttl 111, id 14643, offset 0, flags [none], proto TCP (6), length 60)
     www.usitc.gov.www > squid3srv.axis.com.44756: Flags [S.], cksum 0x767e (correct), seq 577064795, ack 3957670135, win 16384, options [mss 1460,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
16:57:14.171029 IP (tos 0x0, ttl 64, id 1893, offset 0, flags [DF], proto TCP (6), length 52)
     squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [.], cksum 0x66a9 (correct), ack 1, win 4640, options [nop,nop,TS val 583485362 ecr 0], length 0
16:57:14.171157 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF], proto TCP (6), length 1137)
     squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [P.], cksum 0x4a1b (incorrect -> 0xc04e), seq 1:1086, ack 1, win 4640, options [nop,nop,TS val 583485362 ecr 0], length 1085
16:57:14.554299 IP (tos 0x0, ttl 64, id 1895, offset 0, flags [DF], proto TCP (6), length 1137)
     squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [P.], cksum 0x4a1b (incorrect -> 0xbfee), seq 1:1086, ack 1, win 4640, options [nop,nop,TS val 583485458 ecr 0], length 1085
16:57:15.322297 IP (tos 0x0, ttl 64, id 1896, offset 0, flags [DF], proto TCP (6), length 1137)
     squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [P.], cksum 0x4a1b (incorrect -> 0xbf2e), seq 1:1086, ack 1, win 4640, options [nop,nop,TS val 583485650 ecr 0], length 1085
--->8---

It continues like this until squid give the browser a "Read Timeout" message.

tcpdump on running

squidclient -v -h www.usitc.gov -p 80 /index.htm

at the same host

17:09:52.373342 IP (tos 0x0, ttl 64, id 33268, offset 0, flags [DF], proto TCP (6), length 56)
     squid3srv.axis.com.42288 > www.usitc.gov.www: Flags [S], cksum 0x92fb (correct), seq 877374932, win 4640, options [mss 1160,sackOK,TS val 583674912 ecr 0], length 0
17:09:52.497118 IP (tos 0x0, ttl 111, id 17667, offset 0, flags [none], proto TCP (6), length 60)
     www.usitc.gov.www > squid3srv.axis.com.42288: Flags [S.], cksum 0x0aa8 (correct), seq 2881153631, ack 877374933, win 16384, options [mss 1460,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
17:09:52.497135 IP (tos 0x0, ttl 64, id 33269, offset 0, flags [DF], proto TCP (6), length 52)
     squid3srv.axis.com.42288 > www.usitc.gov.www: Flags [.], cksum 0x1643 (correct), ack 1, win 4640, options [nop,nop,TS val 583674943 ecr 0], length 0
17:09:52.497161 IP (tos 0x0, ttl 64, id 33270, offset 0, flags [DF], proto TCP (6), length 143)
     squid3srv.axis.com.42288 > www.usitc.gov.www: Flags [P.], cksum 0xe215 (incorrect -> 0x8648), seq 1:92, ack 1, win 4640, options [nop,nop,TS val 583674943 ecr 0], length 91
17:09:52.624968 IP (tos 0x0, ttl 111, id 17765, offset 0, flags [DF], proto TCP (6), length 1200)
     www.usitc.gov.www > squid3srv.axis.com.42288: Flags [.], cksum 0xf226 (correct), seq 1:1149, ack 92, win 65444, options [nop,nop,TS val 29133146 ecr 583674912], length 1148
17:09:52.624988 IP (tos 0x0, ttl 64, id 33271, offset 0, flags [DF], proto TCP (6), length 52)
     squid3srv.axis.com.42288 > www.usitc.gov.www: Flags [.], cksum 0x7d6d (correct), ack 1149, win 6888, options [nop,nop,TS val 583674975 ecr 29133146], length 0
17:09:52.624995 IP (tos 0x0, ttl 111, id 17766, offset 0, flags [DF], proto TCP (6), length 909)
     www.usitc.gov.www > squid3srv.axis.com.42288: Flags [P.], cksum 0xc030 (correct), seq 1149:2006, ack 92, win 65444, options [nop,nop,TS val 29133146 ecr 583674912], length 857
17:09:52.625002 IP (tos 0x0, ttl 64, id 33272, offset 0, flags [DF], proto TCP (6), length 52)
     squid3srv.axis.com.42288 > www.usitc.gov.www: Flags [.], cksum 0x711c (correct), ack 2006, win 9184, options [nop,nop,TS val 583674975 ecr 29133146], length 0
17:09:52.757395 IP (tos 0x0, ttl 111, id 17857, offset 0, flags [DF], proto TCP (6), length 1200)
     www.usitc.gov.www > squid3srv.axis.com.42288: Flags [.], cksum 0x3d23 (correct), seq 2006:3154, ack 92, win 65444, options [nop,nop,TS val 29133147 ecr 583674975], length 1148
17:09:52.757428 IP (tos 0x0, ttl 64, id 33273, offset 0, flags [DF], proto TCP (6), length 52)
---8<---

..and so on for the whole index.htm, and, last, accessing the site through the squid2 host

squid2srv:~# tcpdump -v -i eth1 host www.usitc.gov
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:23:38.754043 IP (tos 0x0, ttl 64, id 9351, offset 0, flags [DF], proto: TCP (6), length: 60) squid2srv.axis.com.35896 > www.usitc.gov.www: S, cksum 0x8603 (correct), 1874667712:1874667712(0) win 5840 <mss 1460,sackOK,timestamp 875695175 0,nop,wscale 7>
17:23:39.039419 IP (tos 0x0, ttl 111, id 21327, offset 0, flags [none], proto: TCP (6), length: 64) www.usitc.gov.www > squid2srv.axis.com.35896: S, cksum 0x4534 (correct), 3852623973:3852623973(0) ack 1874667713 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:23:39.039438 IP (tos 0x0, ttl 64, id 9352, offset 0, flags [DF], proto: TCP (6), length: 52) squid2srv.axis.com.35896 > www.usitc.gov.www: ., cksum 0x8510 (correct), ack 1 win 46 <nop,nop,timestamp 875695247 0>
17:23:39.039644 IP (tos 0x0, ttl 64, id 9353, offset 0, flags [DF], proto: TCP (6), length: 1276) squid2srv.axis.com.35896 > www.usitc.gov.www: P 1:1225(1224) ack 1 win 46 <nop,nop,timestamp 875695247 0>
17:23:39.326627 IP (tos 0x0, ttl 111, id 21791, offset 0, flags [DF], proto: TCP (6), length: 533) www.usitc.gov.www > squid2srv.axis.com.35896: P 2006:2487(481) ack 1225 win 64311 <nop,nop,timestamp 29141413 875695175>
17:23:39.326645 IP (tos 0x0, ttl 64, id 9354, offset 0, flags [DF], proto: TCP (6), length: 64) squid2srv.axis.com.35896 > www.usitc.gov.www: ., cksum 0xac4c (correct), ack 1 win 46 <nop,nop,timestamp 875695318 0,nop,nop,sack 1 {2006:2487}>
17:23:39.332874 IP (tos 0x0, ttl 111, id 21790, offset 0, flags [DF], proto: TCP (6), length: 609) www.usitc.gov.www > squid2srv.axis.com.35896: P 1449:2006(557) ack 1225 win 64311 <nop,nop,timestamp 29141413 875695175>
17:23:39.332884 IP (tos 0x0, ttl 64, id 9355, offset 0, flags [DF], proto: TCP (6), length: 64) squid2srv.axis.com.35896 > www.usitc.gov.www: ., cksum 0xae77 (correct), ack 1 win 46 <nop,nop,timestamp 875695320 0,nop,nop,sack 1 {1449:2487}>
17:23:39.333999 IP (tos 0x0, ttl 111, id 21789, offset 0, flags [DF], proto: TCP (6), length: 1500) www.usitc.gov.www > squid2srv.axis.com.35896: . 1:1449(1448) ack 1225 win 64311 <nop,nop,timestamp 29141413 875695175>
17:23:39.334008 IP (tos 0x0, ttl 64, id 9356, offset 0, flags [DF], proto: TCP (6), length: 52) squid2srv.axis.com.35896 > www.usitc.gov.www: ., cksum 0xcad0 (correct), ack 2487 win 69 <nop,nop,timestamp 875695320 29141413>
17:23:39.578731 IP (tos 0x0, ttl 111, id 22767, offset 0, flags [DF], proto: TCP (6), length: 1488) www.usitc.gov.www > squid2srv.axis.com.35896: . 1:1437(1436) ack 1225 win 64311 <nop,nop,timestamp 29141415 875695320>
--->8---

..and so on untill the site is loaded in the browser.

The squid2 server has no special acl for www.usitc.gov and is running with

net.ipv4.tcp_ecn = 2

net.ipv4.tcp_window_scaling = 1

and

default via <gw-ip>

without special mss setting, and it works.

Please tell me if you have any suggestions and/or need more info.
Thank you.

Regards

-- 
Fredrik

Received on Tue Nov 29 2011 - 16:37:58 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 30 2011 - 12:00:03 MST