On Sun, Oct 21, 2012 at 9:14 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Do you have any info on how far into the system the packets supposedly going
> to Google get before the hang? and what happens (or not) to cause hang?
Thanks; that was enough to get me thinking about this a bit
differently. I ran Wireshark on my Squid box monitoring the bridge
interface and the issue seems to be MTU related. The MTU on my HE.net
tunnel (all my IPv6 traffic) is 1280 on my edge router. The Wireshark
capture of attempting to access google.com showed frames going through
larger than that, followed by the ICMPv6 too big message listing the
1280 MTU. The too big messages were from the LAN side of my edge
router directed to my client machine. The other test website I tried
was ipv6.whatismyipv6.com which only had one or two packets with a too
big error after which the MTU was respected.
A cursory Google search (after shutting down my v6 on my client) only
found one similar instance but it was related to a buggy VMware
driver, and impacted all v6 traffic. Google is really the only site I
can reliably repeat this failure over v6 on, and prior to redirecting
my v6 traffic through Squid (same network layout otherwise) I did not
have this issue. I tried enabling httpd_accel_no_pmtu_disc and had the
same results, so I'm not certain where else to go with this but am
happy to provide any further details needed.
> Please upgrade your Squid. 3.1.2 is very old now and Debian ships with
> 3.1.20.
Debian (stable) actually ships with 3.1.6, I had to install from the
testing branch to get 3.1.20. Here is the packages link:
http://packages.debian.org/search?suite=all&searchon=names&keywords=squid3
And also package details from my own box:
aptitude -t stable show squid3
Package: squid3
State: not installed
Automatically installed: no
Version: 3.1.6-1.2+squeeze2
aptitude -t testing show squid3
Package: squid3
State: installed
Automatically installed: no
Version: 3.1.20-1
Debian moves at a snail's pace for package updates and releases unlike
Ubuntu's rapid cycle. I'm not involved in any of the Debian packaging
process, so I can't speak to how active the Squid maintainer is, but
he would be the POC to drive more current versions into Debian sooner.
If we can isolate my issue due to a bux already fixed in newer Squid
builds I have no problems compiling from source, but would prefer to
stick with the packaged versions otherwise.
> NP: the rest of my comments below are just on configuration security and
> performance tweaks. Probably not related to your problem.
Thank you. I'll review and update these. I haven't had any issues
other than this IPv6 problem until now, but I appreciate the free
audit of my config.
Received on Mon Oct 22 2012 - 22:49:23 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 23 2012 - 12:00:04 MDT