<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 9, 2019 at 2:37 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 8/9/19 1:37 PM, Tom Karches wrote:<br>
> On Fri, Aug 9, 2019 at 11:38 AM Alex Rousskov wrote:<br>
<br>
> Ok, here is the info from the real trace. First time with #dns_v4_first<br>
> on commented out, 2nd time "dns_v4_ first on" is active. Difference is<br>
> with no "dns_v4_first on" directive, I get a RR_CONNECT_FAIL 111. When<br>
> active, I get a RR_CONNECT_FAIL 101. <br>
<br>
BTW, it may be easier for you to read --trace--ascii output.<br></blockquote><div><br></div><div>I didn't see anything additional using the ascii option, though it is easier to read</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Both are ERR_CONNECT_FAIL errors ("connection reset by peer" and<br>
"connection refused"). Your Squid cannot connect to where it needs to<br>
connect in order to establish a TCP tunnel. It could be a Squid<br>
misconfiguration, a routing problem, insufficient capabilities, and many<br>
other things.<br>
<br>
I suggest checking cache.log for WARNINGs and ERRORs. After arriving at<br>
a clean cache.log, I would use a packet capture (or similar) to see<br>
where Squid is trying to connect (and which local address it is<br>
connecting from). That information may be enough to figure out why Squid<br>
cannot connect successfully.<br>
<br></blockquote><div><br></div><div>This is what I am seeing from cache.log when I attempt the proxy :</div><div><br></div><div> </div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:18px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2019/08/09 16:19:08.127 kid1| 33,2| client_side.cc(817) swanSong: local=<a href="http://127.0.0.1:3128">127.0.0.1:3128</a> remote=<a href="http://127.0.0.1:33428">127.0.0.1:33428</a> flags=1</span></p>
</div><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:18px">2019/08/09 16:19:10.051 kid1| 33,2| client_side.cc(817) swanSong: local=<a href="http://152.7.114.135:3128">152.7.114.135:3128</a> remote=<a href="http://10.50.54.21:43198">10.50.54.21:43198</a> flags=1</span><div><br></div><div>Right now my debug is set to <span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:16px">ALL,1 33,2. Is there a better set of options to provide me more visibility of what might be wrong?</span></div><div><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:16px"><br></span></div>
<div>Here is our config file, in case that helps. If it's something obvious I'm not seeing. We have some whitelists, but I am running with those turned off until this is working so I won't include them here. Thanks for the help.</div><div><br></div><div>Tom</div><div><br></div><div><font face="monospace"># squid config file - 2019-08-09<br># Timeouts<br>connect_timeout 2 minutes # For CDWG Vendor<br>debug_options ALL,1 33,2<br><br>dns_v4_first on<br><br>acl SSL_ports port 443<br>acl SSL_ports port 1443 # <a href="http://b2b-test.apple.com:1443">b2b-test.apple.com:1443</a><br>acl SSL_ports port 3079 # <a href="http://bci.stapleslink.com">bci.stapleslink.com</a> special port<br>acl SSL_ports port 4443 # <a href="http://pascal.apple.com:4443">pascal.apple.com:4443</a><br>acl SSL_ports port 993 # IMAP from Stat application to Gmail<br>acl SSL_ports port 22 # Allow SSH and SFTP to proxy/connect<br>acl SSL_ports port 8443 # redhat cap port<br><br><br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl Safe_ports port 5228 # google services<br>acl Safe_ports port 1935 # cam steamer port<br>acl Safe_ports port 8443 # redhat cap port<br>acl CONNECT method CONNECT<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Only allow cachemgr access from localhost<br>http_access allow manager localhost<br>http_access deny manager<br><br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br>http_access allow localnet<br>http_access allow localhost<br><br># And finally deny all other access to this proxy<br>http_access deny all<br><br>icp_access deny all<br><br># Squid normally listens to port 3128<br>http_port 3128<br><br># Uncomment and adjust the following to add a disk cache directory.<br>#cache_dir ufs /var/spool/squid 2048 16 256<br><br># Default configuration value for cache_mem<br>#cache_mem 256 MB<br>cache deny all<br><br># Leave coredumps in the first cache dir<br>coredump_dir /var/spool/squid<br><br># Add any of your own refresh_pattern entries above these.<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br><br>max_filedescriptors 65000</font><br></div><div><br></div><div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font size="1" face="arial, helvetica, sans-serif">Thomas Karches<br>NCSU OIT CSI - Systems Specialist</font></div><div><font size="1" face="arial, helvetica, sans-serif">M.E Student - Technology Education</font></div><div><font size="1" face="arial, helvetica, sans-serif">Hillsborough 319 / 919.515.5508</font></div><div dir="ltr"><br><br></div></div></div></div></div></div></div></div></div></div></div>