[squid-users] TCP_MISS/Squid-Error: ERR_CONNECT_FAIL

Hi Team,
  I setup an apache web server and squid3 running on the same machine
. But when I try to access the web-server pages from client machine, I
always ended up in the ERR_CONNETC_FAIL error. I tried all the
alternatives and configurations from Google , but it was not helping
me to solve the issue.

Error

1376330104.848 179954 172.30.11.122 TCP_MISS/504 3880 GET
http://172.30.11.124/logs/access.log - DIRECT/172.30.11.124
 text/html [Host: 172.30.11.124\r\nUser-Agent: Mozilla/5.0 (X11; Linux
i686; rv:10.0.12) Gecko/20130109 Firefox/10.0.
12\r\nAccept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
en-us,en;q=0.5\r\nA
ccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\n] [HTTP/1.0
504 Gateway Time-out\r\nServer: squid/3.1.20\r
\nMime-Version: 1.0\r\nDate: Mon, 12 Aug 2013 17:55:04
GMT\r\nContent-Type: text/html\r\nContent-Length: 3506\r\nX-Sq
uid-Error: ERR_CONNECT_FAIL 110\r\nVary:
Accept-Language\r\nContent-Language: en-us\r\n\r]

Topology
----------------
172.30.11.122(client ) ---------- 172.30.11.124 (webserver and squid3 running)

Squid version and OS
--------------------------------
squid3 -v
Squid Cache: Version 3.1.20

Debian wheezy(7.0)

Iptable rules
---------------------
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

IP rules
--------------
 ip -f inet rule add fwmark 1 lookup 100
 ip -f inet route add local default dev eth0 table 100

squid.conf
--------------
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_reply_access allow all
http_port 3128
http_port 3129 tproxy
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1000 16 256
maximum_object_size 20480 KB
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
mime_table /usr/share/squid3/mime.conf
log_mime_hdrs on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
acl apache rep_header Server ^Apache
hosts_file /etc/hosts
coredump_dir /var/spool/squid3
acl localnet src 172.30.11.0/24
http_access allow localhost
http_access allow localnet
cache allow all
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all

Tcpdump
----------------
 tcpdump -i eth0 "port 80"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:23:35.965778 IP 172.30.11.124.http > 172.30.11.122.42895: Flags
[S.], seq 147932214, ack 1341835953, win 14480, options [mss
1460,sackOK,TS val 6510344 ecr 6510344,nop,wscale 5], length 0
23:23:35.965904 IP 172.30.11.122.42895 > 172.30.11.124.http: Flags
[R], seq 1341835953, win 0, length 0
23:24:04.896138 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 111903872, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6517576 ecr 6517576,nop,wscale 5], length 0
23:24:04.896263 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:24:05.893767 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 127491883, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6517826 ecr 6517826,nop,wscale 5], length 0
23:24:05.893885 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:24:07.897766 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 158804355, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6518327 ecr 6518327,nop,wscale 5], length 0
23:24:07.898048 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:24:11.901791 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 221367156, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6519328 ecr 6519328,nop,wscale 5], length 0
23:24:11.901913 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:24:19.917797 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 346617285, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6521332 ecr 6521332,nop,wscale 5], length 0
23:24:19.917920 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:24:35.965795 IP 172.30.11.124.http > 172.30.11.122.37138: Flags
[S.], seq 597367243, ack 124904408, win 14480, options [mss
1460,sackOK,TS val 6525344 ecr 6525344,nop,wscale 5], length 0
23:24:35.965906 IP 172.30.11.122.37138 > 172.30.11.124.http: Flags
[R], seq 124904408, win 0, length 0
23:25:04.848090 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
[.], seq 622394574:622396022, ack 3117157865, win 486, options
[nop,nop,TS val 6532564 ecr 1130451999], length 1448
23:25:04.848123 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
[.], seq 1448:2896, ack 1, win 486, options [nop,nop,TS val 6532564
ecr 1130451999], length 1448
23:25:04.848143 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
[P.], seq 2896:3880, ack 1, win 486, options [nop,nop,TS val 6532564
ecr 1130451999], length 984
23:25:04.848480 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
[.], ack 1448, win 274, options [nop,nop,TS val 1130631953 ecr
6532564], length 0
23:25:04.848572 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
[.], ack 2896, win 319, options [nop,nop,TS val 1130631953 ecr
6532564], length 0
23:25:04.848667 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
[.], ack 3880, win 364, options [nop,nop,TS val 1130631953 ecr
6532564], length 0
23:26:59.848715 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
[F.], seq 1, ack 3880, win 364, options [nop,nop,TS val 1130746953 ecr
6532564], length 0
23:26:59.848866 IP 172.30.11.124.http > 172.30.11.122.44872: Flags
[F.], seq 3880, ack 2, win 486, options [nop,nop,TS val 6561314 ecr
1130746953], length 0
23:26:59.849005 IP 172.30.11.122.44872 > 172.30.11.124.http: Flags
[.], ack 3881, win 364, options [nop,nop,TS val 1130746954 ecr
6561314], length 0

Moreover its taking long time to respond "connection failed error
message in browser". Without tproxy rules, webserver is working like
Gem.
I really don't know what is going on and What I did wrong.
Please help me since I m new to squid.

Regards,
Saravanan N
Received on Mon Aug 12 2013 - 18:17:22 MDT