[squid-users] Going into hit-only-mode for 5 minutes

Amos Jeffries squid3 at treenet.co.nz
Tue Apr 14 15:40:36 UTC 2015 

On 15/04/2015 1:34 a.m., Baird, Josh wrote:
> Hi,
> 
> We recently started having problems where our Squid 2.6 (squid-2.6.STABLE21-6.el5) proxy servers would stop serving requests.  In my cache.log, I see many of these:
> 
> 2015/04/14 01:13:45| Failure Ratio at 26.15
> 2015/04/14 01:13:45| Going into hit-only-mode for 5 minutes...
> 2015/04/14 01:18:46| Failure Ratio at 3.55
> 2015/04/14 01:18:46| Going into hit-only-mode for 5 minutes...
> 2015/04/14 01:23:46| Failure Ratio at 1.02
> 2015/04/14 01:23:46| Going into hit-only-mode for 5 minutes...
> ...
> 2015/04/14 06:50:58| idnsSendQuery: Can't send query, no DNS socket!
> 2015/04/14 06:50:58| idnsSendQuery: Can't send query, no DNS socket!
> 2015/04/14 06:50:58| idnsSendQuery: Can't send query, no DNS socket!
> 2015/04/14 06:50:58| idnsSendQuery: Can't send query, no DNS socket!
> 
> I suspect this is the problem - the proxy is running out of DNS sockets.   I have already determined that there are not problems with the DNS servers that these proxies are using (in their /etc/resolv.conf).  Could this be caused by a bad user chewing up DNS sockets/children with invalid URL requests?
> 


The older the proxy the more ways there are to perform Denial of Service
by consuming all the port and sockets on the *entire* server Squid runs
on. Probably one of those happening to you.


> The "going into hit-only-mode" errors appear to be ICP related?  In this case, I believe we have ICP completely disabled:
> 
> # icp_access allow allowed_src_hosts
> # icp_access deny all_src

You would be wrong. This is how to disable ICP receiving:

 icp_port 0


On the senders you change the cache_peer lines to set the icp-port
parameter (the second port number) to 0.

> 
> Could anyone offer any suggestions or advice to help figure out what is causing these problems?

1) upgrade.

2) seriously, upgrade.

3) try adding "via on" to your squid.conf. If you start to get warnings
about forwarding loops its working. Otherwise you got big problems - see
(2).


Amos

More information about the squid-users mailing list