[squid-users] TCP_DENIED and TCP_MISS_ABORTED

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 26 04:26:06 UTC 2015


On 26/02/2015 8:44 a.m., Mike wrote:
> We have recently been seeing this error on squid where one site that our
> users need access to is not loading at all.
> 
> 1424889858.688      0 127.0.0.1 TCP_DENIED/407 3968 GET
> http://www.afa.net/ - HIER_NONE/- text/html
> 1424889878.725  20014 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www.afa.net/ testuser1 HIER_DIRECT/66.210.221.116
> 
> [root at xeserver squid]# squid -v
> Squid Cache: Version 3.4.7
> 
> Attempted to add an acl:
> acl allowafa dstdomain .afa.net .afastore.net
> http_access allow allowafa
> 
> but this did not fix it.
> 
> I understand the /407 as it related to http access means proxy
> authentication required, which is what every customer does when the
> browser is opened up, so authentication is already done

That does not follow from the 407. In fact it means exactly the opposite
-  authentication *not* done.

The existence of "testuser1" information is what tells that
authentication is done.

> and active in
> the server, otherwise other websites would not be loading either.
> 
> All other sites we need access to work fine, it is just something about
> this one... Any suggestions?

ABORTED means the client disconnected. As they are able to do at any
time. This particular transaction tool 20 seconds and transferred 0
bytes to the client. No surprise they give up and disconnect.

The usual culprits are:
* broken Path-MTU discovery
* broken ECMP support
* Expect:100-continue
* broken TCP ECN support
* TCP window scaling

The 100-continue problem could be from the client, but the rest for your
case will be happening between Squid and server somewhere (if at all).

Amos


More information about the squid-users mailing list