Re: [squid-users] Unable to access IIS site through squid3

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 30 Nov 2011 14:06:08 +1300

 On Tue, 29 Nov 2011 17:37:49 +0100, Fredrik Eriksson wrote:
> Hi,
>
>
> We're trying to access the site www.usitc.gov through our squid3
> servers, but only get timed out.
>
> We are running squid 3.1.16-1 from debian wheezy on debian squeeze
> hosts.
> Accessing the site through an old squid server, running squid
> 2.6.5-6etch5 on a debian etch host, works fine.
>
> I've read these two
>
> http://squidproxy.wordpress.com/2008/04/29/chunked-decoding/
>
>
>
> http://squidproxy.wordpress.com/2007/06/05/thinsg-to-look-at-if-websites-are-hanging/
>
> I have tried with
>
> acl broken dstdomain www.usitc.gov
> cache deny broken
> always_direct allow broken_gov
>
> in various combinations with or without
>
> net.ipv4.tcp_ecn = 0
>
> net.ipv4.tcp_window_scaling = 0
>
> and
>
> default via <gw-ip> advmss 1160
>
> with no cigar in sight.
>
>
> Output from tcpdump on a squid3 host, trying to access the site
> through the proxy

 Lets walk this through...

>
> squid3srv:~# tcpdump -v -i eth1 host www.usitc.gov
> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 16:57:14.042959 IP (tos 0x0, ttl 64, id 1892, offset 0, flags [DF],
> proto TCP (6), length 56)
> squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [S], cksum
> 0xbf08 (correct), seq 3957670134, win 4640, options [mss
> 1160,sackOK,TS val 583485330 ecr 0], length 0

 SYN, asking for MSS 1160 (configured). Fine.

> 16:57:14.171013 IP (tos 0x0, ttl 111, id 14643, offset 0, flags
> [none], proto TCP (6), length 60)
> www.usitc.gov.www > squid3srv.axis.com.44756: Flags [S.], cksum
> 0x767e (correct), seq 577064795, ack 3957670135, win 16384, options
> [mss 1460,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0

 SYN-ACK from server. Indicating MSS can be safely raised to 1460.

> 16:57:14.171029 IP (tos 0x0, ttl 64, id 1893, offset 0, flags [DF],
> proto TCP (6), length 52)
> squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [.], cksum
> 0x66a9 (correct), ack 1, win 4640, options [nop,nop,TS val 583485362
> ecr 0], length 0

 ACK from Squid to server cofnirming receipt of the SYN-ACK.

> 16:57:14.171157 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF],
> proto TCP (6), length 1137)
> squid3srv.axis.com.44756 > www.usitc.gov.www: Flags [P.], cksum
> 0x4a1b (incorrect -> 0xc04e), seq 1:1086, ack 1, win 4640, options
> [nop,nop,TS val 583485362 ecr 0], length 1085

 Data packet from Squid->Server. 1085 bytes. Well under both 1160 and
 1460 sizes, even with TCP packet bits added.

 However the packet checksum is incorrect.

 This is a problem in the kernel code somewhere. Given that it works on
 the same box with older Squid it is likely something to do with the
 IPv4/IPpv6 v4-mapping features of the kernel. Squid-3.1 prefers to use
 "v4-mapped" IPv6 sockets and let the kernel swap the TCP stacks around
 depending on the IP address type connected to.

 Amos
Received on Wed Nov 30 2011 - 01:06:12 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 30 2011 - 12:00:03 MST