[squid-users] ERR_CONNECT_FAIL 110
Amos Jeffries
squid3 at treenet.co.nz
Sun Dec 21 03:31:39 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21/12/2014 10:12 a.m., Alfredo Rezinovsky wrote:
> El 19/12/14 a las 12:53, Amos Jeffries escibiĆ³: On 20/12/2014 4:21
> a.m., Alfredo Rezinovsky wrote:
>>>> I have a few TPROXY implementations with squid. In only one
>>>> of them recently I'm getting lots of: "x-squid-error:
>>>> ERR_CONNECT_FAIL 110" and some 504 timeouts.
>>>>
>>>> Squid Cache: Version 3.4.10-20141218-r13197 configure
>>>> options: '--prefix=/opt/sepia/squid'
>>>> '--sysconfdir=/var/lib/sepia/' '--disable-auth'
>>>> '--disable-auto-locale' '--disable-cache-digests'
>>>> '--disable-cpu-profiling' '--disable-debug-cbdata'
>>>> '--disable-delay-pools' '--disable-devpoll' '--disable-ecap'
>>>> '--disable-esi' '--disable-eui'
>>>> '--disable-external-acl-helpers'
>>>> '--disable-follow-x-forwarded-for' '--disable-forw-via-db'
>>>> '--enable-gnuregex' '--disable-htcp' '--disable-icap-client'
>>>> '--disable-ident-lookups' '--enable-internal-dns'
>>>> '--disable-ipf-transparent' '--disable-ipfw-transparent'
>>>> '--disable-ipv6' '--disable-leakfinder'
>>>> '--disable-pf-transparent' '--disable-poll'
>>>> '--disable-select' '--disable-snmp' '--enable-ssl'
>>>> '--disable-stacktraces' '--disable-translation'
>>>> '--disable-url-rewrite-helpers' '--disable-wccp'
>>>> '--disable-wccpv2' '--disable-win32-service'
>>>> '--disable-x-accelerator-vary' '--disable-icmp'
>>>> '--disable-storeid-rewrite-helpers' '--enable-async-io'
>>>> '--enable-disk-io' '--enable-epoll'
>>>> '--enable-http-violations' '--enable-inline'
>>>> '--enable-kill-parent-hack' '--enable-linux-netfilter'
>>>> '--enable-log-daemon-helpers' '--enable-removal-policies'
>>>> '--enable-storeio' '--enable-unlinkd'
>>>> '--enable-x-accelerator-vary' '--enable-zph-qos'
>>>> '--with-default-user=nobody' '--with-logdir=/var/log/sepia'
>>>> '--with-pthreads' '--with-included-ltdl'
>>>> '--with-pidfile=/var/lib/sepia/squid.pid'
>>>> '--with-netfilter-conntrack' --enable-ltdl-convenience
>>>>
>>>> Is a custom compiled squid with everything I don't need
>>>> disabled.
>>>>
>>>> Running in Ubuntu with kernel 3.13.0
>>>>
>>>> PMTU from the proxy to both the servers and the clients seems
>>>> to be 1500.
>>>>
>>>> Any clue?
> Nope you omitted the best clues. :-)
>
> The access.log entries matching those errors would be a good start
> if you can identify them.
>
> Amos
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> Shame on me
>
> 1419108172.470 29936 172.16.1.2 TCP_MISS_ABORTED/000 0 GET
> http://www.ibm.com/ - ORIGINAL_DST/172.233.13.247 - 1419108202.446
> 29971 172.16.1.2 TCP_MISS_ABORTED/000 0 GET http://www.ibm.com/ -
> ORIGINAL_DST/172.233.13.247 - 1419108212.325 30029 172.16.1.2
> TCP_MISS_ABORTED/000 0 GET http://www.ibm.com/ -
> ORIGINAL_DST/172.233.13.247 - 1419108232.487 30029 172.16.1.2
> TCP_MISS_ABORTED/000 0 GET http://www.ibm.com/ -
> ORIGINAL_DST/172.233.13.247 - 1419108262.453 29814 172.16.1.2
> TCP_MISS_ABORTED/000 0 GET http://www.ibm.com/ -
> ORIGINAL_DST/172.233.13.247 - 1419108294.101 59408 172.16.1.2
> TCP_MISS/503 469 GET http://xml.weather.yahoo.com/forecastrss? -
> ORIGINAL_DST/206.190.43.214 text/html 1419108295.670 60800
> 172.16.1.2 TCP_MISS/503 469 GET
> http://download.finance.yahoo.com/d/333.txt? -
> ORIGINAL_DST/209.191.96.200 text/html
>
> All 503 errors are around 60 seconds. The same requests works whe
> the tproxy is not enabled.
>
Okay, this says that you are intercepting the traffic. Squid tried
opening a connection to the same IP the client was connecting to.
(should work right?). But the TCP SYN packets sent out by Squid never
got any response.
Sometimes (ABORTED/000) the client gave up waiting and disconnected
after ~30sec.
Sometimes (MISS/503) Squid was the one to give up after ~60sec.
Since it is the outbound TCP connections from Squid that are dying.
Check the usual suspects:
ICMP blocking - only a very small sub-set of a few codes are
dangerous and need blocking, the rest are useful or mandatory for
reliable connectivity.
path-MTU discovery - can be broken by ICMP packets being dropped or
bad MSS values on a tunnel/VPN interface,
ECN and TCP Window Scaling - can be corrupted by old broken software
on the transit path,
NAT on the outbound connections - can send packets to weird places.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUlj8bAAoJELJo5wb/XPRjGx8H/2uyWG+PKh06b/aS1Mv5xbV8
M1p09RTLJ1gD4F4aasAQuHQyCqPI3VpyoURskr8hJWtpQjpE7dxvEMCP9fIlp7rX
ButRCUGtEOoZ1rvqNkSQKvTaWk2tO7kPg0/GDFO5k0f8s6zVDTfGbHFefSakjXm6
vPHamIBHcgVqlgC3JCqcRMgrLyZoBEyMhgCP9O4P7677TPyKKn7YeJVFquSwJ0do
8xJOsWnWd15W1waRyaHJLzn6wcv+DSJLl8NBDJF3WZqlt2Itnu/flQ2OJIdmEbXS
eB7b2oT53hf9QHeC3FpfozFuLvnj8WmsorQtvmO1rQSCY7kONH94Sk407+j+Wes=
=0UIE
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list