[squid-users] confused over ipv6 failing on ipv4-only network

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 6 04:39:27 UTC 2016


On 6/01/2016 5:04 p.m., Jason Haar wrote:
> Hi there
> 
> Weird - several times in the past couple of months I have found I cannot
> get to http://wiki.squid-cache.org/ - I get the error below from my
> squid-3.5.11 server which does not have a Global ipv6 address (it has a
> Local ipv6/fe80: on the Ethernet card - but nothing else). Google.com
> (which is fully ipv6 capable) works fine - so far only
> wiki.squid-cache.org has shown up this way to me (ie I don't see this
> error message.
> 
> On the squid server, "dig a" shows valid ipv4 addresses and "dig aaaa"
> shows the ipv6 address - but why is squid even trying to connect over
> ipv6 If doesn't have an ipv6 address?
> 
> Could this be a case of the "A" record failing to return fast enough,
> forcing squid to only try ipv6 - which then leads to the error message
> referring to the ipv6 address?

Squid waits for both A and AAAA before continuing after DNS lookup. The
only way to get only IPv6 results is for your DNS server to produce no A
results at all. Timeout _could_ do that, but the default is 30 sec so
unlikely.


> This error message may be correct, but is
> very confusing to anyone who knows they are only running ipv4: maybe
> squid should know how to differentiate between locally routable and
> globally routable ipv6 addresses and basically disable ipv6 if there is
> no Global route?

It does. That knowledge (gained only by trying the connection) is what
is producing the 'connection failed' error page you mention below.
Otherwise it would be a timeout error or "hung" connection from the
client viewpoint.

The same things will happen if you remove all IPv4 WAN routes from the
Squid machine. There is no difference in this between v4 and v6.


> Obviously I could recompile squid without ipv6 support,
> but Amos has made it clear that is "the wrong way" - so how else could
> that be done (as adding ipv6 support to an entire network is not an
> option either - if it was I wouldn't be sending this email! :-)
> 

The Squid wiki is dual-stacked with IPv4 addresses. Sice you have
v4-only network the thing to do is find out why the IPv4 are not working
for your Squid.


> As an aside - I've seen this several times and yet only with
> wiki.squid-cache.org - perhaps there's a performance issue/bug with one
> of the associated DNS servers there?
> 
> The following error was encountered while trying to retrieve the URL:
> http://wiki.squid-cache.org/SquidFaq/SquidAcl
> 
>     Connection to 2001:4b78:2003::1 failed.

This just means that IPv6 was the *last* thing tried. It is entirely
probable that IPv4 were tried first and also failed. Particularly if you
have dns_v4_first turned on.

NP: if you have dns_v4_first off (default) then the error message should
say some IPv4 failed. Since it gets tried last.

Amos



More information about the squid-users mailing list