[squid-users] WARNING: All 20/20 negotiateauthenticator processes are busy.

Dijxie dijxie at gmail.com
Thu May 11 20:00:44 UTC 2017

W dniu 11.05.2017 o 17:27, erdosain9 pisze:
> Hi.
> Im having this problem.
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: All 30/30
> negotiateauthenticator processes are busy.
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: 30 pending requests
> queued
> may 11 11:26:23 squid.xxxx.lan squid[32138]: WARNING: Consider increasing
> the number of negotiateauthenticator processes in your config file.
> This is my config file
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/squid.empddh.lan at EMPDDH.LAN
> auth_param negotiate children 30
> auth_param negotiate keep_alive on
> Can somebody explain this for me?
> Of course, i can "increasing the number of negotiateauthenticator", but i
> want to understand (maybe its a better way)
> I see some examples like this
> 	auth_param digest children 20 startup=0 idle=1
> What about that? startup? idle? that was a better way? or this not having
> nothing to do?
> Thanks to all!
> (i dont speak english)
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/WARNING-All-20-20-negotiateauthenticator-processes-are-busy-tp4682362.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> Also, you may try set keep_alive to off - this option sometimes tends to hang negotiate helper.

Here is documentation: http://www.squid-cache.org/Doc/config/auth_param/
Startup is the number auth helpers launched when squid is starting. Idle 
is the nuber of processes that squid will keep alive even if there is no 
cache users. You may increase children calculating available RAM, but 
leave startup and idle values low. Squid will launch helpers when 
needed, and next will gracefully close them if not used until "idle" 
value reached; that 'recycle' process is good for helpers.  Just make 
sure that your available RAM is enough for all negotiate helpers squid 
may launch (children number), that considers system daemons, memory 
cache etc.

Kerberos and negotiate authenticators are not capable of doing 
concurrent authentications, as well as ntlm authenticator (at least in 
squid-2.5-ntlmssp mode); one worker can serve one request at the time. 
So, that warning is saing that your cache server has more users - or 
rather users are making more concurrent connections at the same time 
than auth helpers can handle. Or, there is something wrong with one or 
more helpers; use cachemgr.cgi or squid-client to verify.
http://wiki.squid-cache.org/SquidClientTool - squidclient mgr:menu will 
give you available comands, grep output by "auth", AFAIR it's 
If the number of connections awaiting authentication is greater than 
children number, the queue begins. The queue is something unwanted; 
makes users wait for page to load. Also, at the end, squid will restart 
if queue situation trurns to be chronic.
Also, you may try set keep_alive to off - this option sometimes tends to 
hang negotiate helper.

Could you satisfy my curiousity by telling me how many users are there 
in your environment?

Greetings, Dijx

More information about the squid-users mailing list