[squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

Sticher, Jascha jascha.sticher at tds.fujitsu.com
Tue Aug 7 14:37:16 UTC 2018


Hi,

most times we encountered this error message it had something to do with IPv4 DNS queries being answered too slowly or not at all (as in: only AAAA-records in the reply). If this occurring with some sites only, that could be the case.

You could verify this by sniffing your DNS queries from the squid. We solved >99% of these error with the following two lines - a couple of sites needed entries in /etc/hosts, because their nameservers were broken.


> dns_timeout 10 seconds
> forward_max_tries 25


Kind regards,

Jascha Sticher


-----Ursprüngliche Nachricht-----
Von: squid-users <squid-users-bounces at lists.squid-cache.org> Im Auftrag von Ahmad, Sarfaraz
Gesendet: Dienstag, 7. August 2018 16:15
An: Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Betreff: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

I cannot reproduce this. This is intermittent.  In Chrome's dev tools, it appeared to take over 20 secs to setup the TCP connection.
I am SSL bumping all TLS connections unless they match certain ACLs. So it is safe to assume that the vast majority of the traffic was bumped.

I don't see any TLS handshake failure messages in cache.log. I think the access.log messages I posted earlier are fake CONNECT requests created using TCP-level info (the response time logged there is directly proportionate to what I see in Chrome's dev tools). Guessing that Squid would send TCP SYN-ACK only after it receives SYN-ACK from remote/origin server.
I don’t think ICAP(reqmod) would come into the picture yet either (assuming that even the TCP connections have not been set up yet) so that is safe to rule out. Am I right here ?

Also restarting squid service fixed this.  I had a python script running in the background that was able to GET a webpage using requests module(timeout set to 30) but Squid apparently couldn't even set up a TCP connection.

- Sarfaraz



-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, August 7, 2018 6:04 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

On 07/08/18 21:55, Ahmad, Sarfaraz wrote:
> Hi,
> 
>  
> 
> I am WCCPv2 for redirecting traffic to Squid.
> 

Squid version?

> Intermittently I see these messages in access.log and the internet for 
> clients goes away.
> 
>  
> 
> 1533612202.312  79102 <ip> NONE_ABORTED/000 0 CONNECT 
> 198.22.156.64:443
> - HIER_NONE/- -
> 
> 1533612202.312  82632 <ip> NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
> 
> 1533612202.312  16030 <ip> NONE_ABORTED/000 0 CONNECT 
> 172.217.15.67:443
> - HIER_NONE/- -
> 
> 1533612202.312  78477 <ip> NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
> 
>  
> 
> But I can access internet on the host running squid itself just fine 
> yet Squid reports those messages with high response times (the second column).
> 
...>  
> 
> We use an ICAP service. Could that play a role here ?

A lot of things *might* play a role there.

> 
> Any thoughts ?

Trace the traffic.

What did the client actually send to Squid?
  It's probably not a port-80 style CONNECT request.

What does Squid send back to the client?

Does Squid complete the TLS handshake?

What are your SSL-Bump settings?


Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list