[squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay
Sticher, Jascha
jascha.sticher at tds.fujitsu.com
Tue Aug 7 14:37:16 UTC 2018
Hi,
most times we encountered this error message it had something to do with IPv4 DNS queries being answered too slowly or not at all (as in: only AAAA-records in the reply). If this occurring with some sites only, that could be the case.
You could verify this by sniffing your DNS queries from the squid. We solved >99% of these error with the following two lines - a couple of sites needed entries in /etc/hosts, because their nameservers were broken.
> dns_timeout 10 seconds
> forward_max_tries 25
Kind regards,
Jascha Sticher
-----Ursprüngliche Nachricht-----
Von: squid-users <squid-users-bounces at lists.squid-cache.org> Im Auftrag von Ahmad, Sarfaraz
Gesendet: Dienstag, 7. August 2018 16:15
An: Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Betreff: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay
I cannot reproduce this. This is intermittent. In Chrome's dev tools, it appeared to take over 20 secs to setup the TCP connection.
I am SSL bumping all TLS connections unless they match certain ACLs. So it is safe to assume that the vast majority of the traffic was bumped.
I don't see any TLS handshake failure messages in cache.log. I think the access.log messages I posted earlier are fake CONNECT requests created using TCP-level info (the response time logged there is directly proportionate to what I see in Chrome's dev tools). Guessing that Squid would send TCP SYN-ACK only after it receives SYN-ACK from remote/origin server.
I don’t think ICAP(reqmod) would come into the picture yet either (assuming that even the TCP connections have not been set up yet) so that is safe to rule out. Am I right here ?
Also restarting squid service fixed this. I had a python script running in the background that was able to GET a webpage using requests module(timeout set to 30) but Squid apparently couldn't even set up a TCP connection.
- Sarfaraz
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, August 7, 2018 6:04 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay
On 07/08/18 21:55, Ahmad, Sarfaraz wrote:
> Hi,
>
>
>
> I am WCCPv2 for redirecting traffic to Squid.
>
Squid version?
> Intermittently I see these messages in access.log and the internet for
> clients goes away.
>
>
>
> 1533612202.312 79102 <ip> NONE_ABORTED/000 0 CONNECT
> 198.22.156.64:443
> - HIER_NONE/- -
>
> 1533612202.312 82632 <ip> NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
>
> 1533612202.312 16030 <ip> NONE_ABORTED/000 0 CONNECT
> 172.217.15.67:443
> - HIER_NONE/- -
>
> 1533612202.312 78477 <ip> NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
>
>
>
> But I can access internet on the host running squid itself just fine
> yet Squid reports those messages with high response times (the second column).
>
...>
>
> We use an ICAP service. Could that play a role here ?
A lot of things *might* play a role there.
>
> Any thoughts ?
Trace the traffic.
What did the client actually send to Squid?
It's probably not a port-80 style CONNECT request.
What does Squid send back to the client?
Does Squid complete the TLS handshake?
What are your SSL-Bump settings?
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list