Re: [squid-users] Re: Upgrade to 3.4.3 and TCP Connections to parent failing more often

From: Antony Stone <Antony.Stone_at_squid.open.source.it>
Date: Wed, 26 Feb 2014 11:46:10 +0100

On Wednesday 26 February 2014 at 11:40:59, Paul Carew wrote:

> Thanks Amos.
>
> This is now resolved and appears to have been related to iptables on
> the upstream Squid server.
>
> Originally I was accepting --state NEW connections only on the
> upstream Squid server's iptables configuration. By removing the
> --state NEW component and just accepting all tcp connections between
> the relevant IP addresses and ports all of the connection failed error
> messages have vanished from Squid's cache logs.

I assume you mean you were accepting both NEW and ESTABLISHED?

> I'll look into iptables as I'm puzzled why it would block a SYN packet
> on a --state NEW rule match.

--state NEW would not block SYN, but it would block ACK and SYN,ACK

You'd need --state ESTABLISHED to allow those through.

Hope that helps,

Antony.

-- 
All matter in the Universe can be placed into one of two categories:
1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.
                                                     Please reply to the list;
                                                           please don't CC me.
Received on Wed Feb 26 2014 - 10:46:22 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 26 2014 - 12:00:06 MST