[squid-users] parent peer timeout (Amos Jeffries)

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 21 17:15:49 UTC 2017 

On 22/11/17 05:00, Ignacio Freyre wrote:
> Hi Amos, thanks for taking the time to analize this.
> 
>> Are you actually terminating the peer, or just simulating it some other way?
> My method of testing is shutting down the service on the parent "192.168.1.1" with "/etc/init.d/squid stop", whith this in place there are no remaining active connections, and no new ones are being established, all I see is tcp RST responses.

Ah, add to your tests a check to see when that process actually stops. 
It is quite likely that a long portion of those 2 minutes is the peer 
doing its slow graceful shutdown procedure - during which time it will 
stay LIVE and not DEAD.

You may also want to monitor the TCP state of the connections from Squid 
to the peer. Termination by the endpoint may not immediately trigger 
full connection closure all the way into Squid. So there is a bit of 
delay there as well until Squid picks up on the change.

The best way to shutdown Squid is with the "squid -k shutdown" command. 
Use it twice in a row for quick shutdown. First use initiates shutdown, 
second one skips the process to the end of the graceful delay.


> It seems there is a TCP timer that is not configurable, because of the time it takes to notice the dead peer:
>> 2017/11/20 22:55:02| Ready to serve requests.
>> 2017/11/20 22:55:03| storeLateRelease: released 0 objects
>> 2017/11/20 22:56:55| TCP connection to 192.168.1.1/3128 failed
>> 2017/11/20 22:56:55| TCP connection to 192.168.1.1/3128 failed
>> 2017/11/20 22:56:55| Detected DEAD Parent: 192.168.1.1
> My objective is to configure dead peer detection based only in TCP connection, can this be achieved?

Yes, by the means you already configured.

Also ICMP is not optional. Ensure you have it working in your network. 
TCP connect errors are sent using ICMP from the network router(s) to 
Squid in just nanoseconds instead of whole seconds of waiting times. 
That should make the connect-timeout= setting mostly irrelevant.


> 
> Do I need to allow a specific type of traffic with "cache_peer_access" statements so dead peer detection happens?, if I comment those lines, dead peer detection works, but I need to enable it so i can filter what traffic those parent peers accept.
> 

What you configured should have been fine.

The issue is just that by relying only on the TCP/HTTP traffic for 
detection, reducing traffic sent to the peer also reduces its chances to 
detect failures. YMMV as to whether that is a good thing or not.

Amos

More information about the squid-users mailing list