[squid-users] Re: Squid transparent proxy connection fails on specific sites?

From: Omid Kosari <omidkosari_at_yahoo.com>
Date: Sat, 2 Mar 2013 23:07:49 -0800 (PST)

When squid setup as transparent proxy , returns ERR_CONNECT_FAIL on some
sites .
The server which squid runs on it is able to open those sites by
lynx,wget,curl etc .
Even if we manually set proxy in browser , those sites could open .

Squid Cache: Version 3.1.20
Linux cache 3.5.0-22-generic #34-Ubuntu SMP Tue Jan 8 21:47:00 UTC 2013
x86_64 x86_64 x86_64 GNU/Linux

Here is tcpdump from one of clients when tries to open one of those sites

GET / HTTP/1.0

Host: 80.75.1.4

Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01

Accept-Encoding: gzip, compress, bzip2

Accept-Language: en

User-Agent: Lynx/2.8.8dev.2 libwww-FM/2.14 SSL-MM/1.4.1

HTTP/1.0 504 Gateway Time-out

Server: squid

Mime-Version: 1.0

Date: Wed, 27 Feb 2013 15:39:03 GMT

Content-Type: text/html

Content-Length: 376353

X-Squid-Error: ERR_CONNECT_FAIL 110

X-Cache: MISS from cache.mysquid.com

X-Cache-Lookup: MISS from cache.mysquid.com:3128

Connection: close

Also tried
http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#Can.27t_connect_to_some_sites_through_Squid

From this page http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

    It causes path-MTU (PMTUD) to fail, possibly making some remote sites
inaccessible. This is not usually a problem if your client machines are
connected via Ethernet or DSL PPPoATM where the MTU of all links between the
cache and client is 1500 or more. If your clients are connecting via DSL
PPPoE then this is likely to be a problem as PPPoE links often have a
reduced MTU (1472 is very common).

But i have same problem with ethernet

Here is tcpdump from one client:

GET / HTTP/1.0
Host: 80.75.1.4
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, compress, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.8dev.2 libwww-FM/2.14 SSL-MM/1.4.1

HTTP/1.0 504 Gateway Time-out
Server: squid
Mime-Version: 1.0
Date: Wed, 27 Feb 2013 15:39:03 GMT
Content-Type: text/html
Content-Length: 376353
X-Squid-Error: ERR_CONNECT_FAIL 110
X-Cache: MISS from cache.mysquid.com
X-Cache-Lookup: MISS from cache.mysquid.com:3128
Connection: close

ping -s 1500 80.75.1.4

PING 80.75.1.4 (80.75.1.4) 1500(1528) bytes of data.
1508 bytes from 80.75.1.4: icmp_req=1 ttl=58 time=5.28 ms
1508 bytes from 80.75.1.4: icmp_req=2 ttl=58 time=3.96 ms
1508 bytes from 80.75.1.4: icmp_req=3 ttl=58 time=4.28 ms

ping -s 1473 80.75.1.4 -M do

PING 80.75.1.4 (80.75.1.4) 1473(1501) bytes of data.
From 109.110.160.171 icmp_seq=1 Frag needed and DF set (mtu = 1500)
From 109.110.160.171 icmp_seq=1 Frag needed and DF set (mtu = 1500)

--- 80.75.1.4 ping statistics ---
0 packets transmitted, 0 received, +2 errors

ping -s 1472 80.75.1.4 -M do

PING 80.75.1.4 (80.75.1.4) 1472(1500) bytes of data.
1480 bytes from 80.75.1.4: icmp_req=1 ttl=58 time=4.33 ms
1480 bytes from 80.75.1.4: icmp_req=2 ttl=58 time=4.32 ms

--- 80.75.1.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 4.320/4.329/4.338/0.009 ms

traceroute --mtu 80.75.1.4

traceroute to 80.75.1.4 (80.75.1.4), 30 hops max, 65000 byte packets
 1 x.x.x.10 (x.x.x.10) 0.820 ms F=1500 0.681 ms 0.243 ms
 2 y.y.y.1 (y.y.y.1) 2.969 ms 3.185 ms 2.994 ms
 3 217.218.181.193 (217.218.181.193) 2.836 ms 2.381 ms 2.487 ms
 4 217.218.185.22 (217.218.185.22) 3.617 ms 2.957 ms 3.176 ms
 5 78.38.119.237 (78.38.119.237) 2.050 ms 1.808 ms 2.264 ms
 6 217.11.30.250 (217.11.30.250) 3.522 ms 3.962 ms 2.674 ms
 7 * 80.75.1.4 (80.75.1.4) 3.507 ms *

tracepath 80.75.1.4

 1: cache.mysquid.com 0.092ms pmtu 1500
 1: x.x.x.10 0.380ms
 1: x.x.x.10 0.309ms
 2: y.y.y.1 3.390ms asymm 7
 3: 217.218.181.193 2.671ms asymm 5
 4: 217.218.185.22 2.944ms asymm 5
 5: 78.38.119.237 1.684ms
 6: 217.11.30.250 4.020ms
 7: 80.75.1.4 3.915ms reached
     Resume: pmtu 1500 hops 7 back 58

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-connection-fails-on-specific-sites-tp4658746p4658809.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sun Mar 03 2013 - 07:09:50 MST

This archive was generated by hypermail 2.2.0 : Sun Mar 03 2013 - 12:00:04 MST