[squid-users] Unable to access a device over port 4434
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Oct 16 14:21:56 UTC 2024
On 16.10.24 13:43, Piana, Josh wrote:
>I have the firewalld service disabled. I'm running RHEL 9.4, if that helps at all.
try running:
iptables -L -n -v
iptables -t nat -L -n -v
or
nft list tables
nft list table ip filter
to see if you have any rules that block outgoing traffic.
Perhaps you can check
sysctl net.ipv4.tcp_ecn
and set it to '0' if it helps.
>Would a PAC file make a difference in the connection to the firewall? When comparing our old squidbox to the one I'm setting up, that's one of the outliers.
>
>-----Original Message-----
>From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
>Sent: Wednesday, October 16, 2024 7:56 AM
>To: squid-users at lists.squid-cache.org
>Subject: Re: [squid-users] Unable to access a device over port 4434
>
>Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
>On 15.10.24 20:39, Piana, Josh wrote:
>>Thank you for getting back to me and clarifying.
>>
>>I ran this command:
>>#wget -Y off 172.27.46.253
>>
>>Response:
>>--2024-10-15 16:36:15--
>>http://172.0.0.27/
>>.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
>>708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638646765494
>>659492%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
>>TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sCSTJ4aE8Rl8UXz64cq6m%2Fl
>>1h0YgtzDXjRrTJj3nmZk%3D&reserved=0
>>Connecting to 172.27.46.253:80... connected.
>>HTTP request sent, awaiting response... 301 Moved Permanently
>>Location:
>>https://172.0.0.2/
>>7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
>>f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864676549
>>4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86W
>>VcspT6kL3oLDWE4cGHk%3D&reserved=0 [following]
>>--2024-10-15 16:36:15--
>>https://172.0.0.2/
>>7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7
>>f708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864676549
>>4815710%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>>BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WnX0ke65H2V2wvpUUClPa86W
>>VcspT6kL3oLDWE4cGHk%3D&reserved=0
>>Connecting to 172.27.46.253:443... connected.
>>ERROR: The certificate of '172.27.46.253' is not trusted.
>>ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
>>The certificate's owner does not match hostname '172.27.46.253'
>>
>>When I tried using port 4434, the wget command just times out.
>
>this means that your squid machine is apparently blocked from connecting to remote host on port 4434.
>
>Either that host blocked connections from your squid machine, or your squid machine (or any device on your network) has firewall rule that prevent this.
>
>This it not a squid error.
>
>Do you have local firewall on your squid machine?
>
>
>>So with the errors given, would that stop us from connecting to it?
>> Typically with sites with trust issues or certification issues, you
>>can still bypass it. We'd like to do the same here if applicable.
>
>>On 11/10/24 07:21, Piana, Josh wrote:
>>> I apologize, I was unable to read any of the links that were
>>> responded with because our environment appended the "
>>> eur02.safelinks.protection.outlook.com..." Outlook protection. Did
>>> you see that as well on your side? When I did click the links to
>>> view them is just stated as failed.
>>>
>>> What I gather from what you said was that, it's not likely Squid is
>>> the issue. Even when we bypass Squid it does work. FWIW, it's
>>> possible that there is some other network problem coming into play here on our side.
>>> Though I did try to verify there's now blockages from the firewall,
>>> the networks, the traffic, etc.
>
>
>>FTR; the critical detail in what Matus wrote was that the "wget" (or
>>curl if you prefer) connection test **must** be performed
>> A) on the Squid machine,
>> B) using the same low-privileges user account that Squid runs with,
>> D) to the same server IP address Squid is trying to contact.
>>
>>That ensures the TCP connection privileges are as close to identical to what Squid is doing.
>>
>>Running it from another machine and/or user account may encounter
>>different firewall or routing behaviour that hides the real issue.
>>
>>If that test provides a successful TCP connection, *and* HTTP response
>>message the next step is to
>>
>>
>>Also, FYI; your custom change to the timestamp has somehow lost the
>>"duration" value, so I/we cannot tell if this was a probable TCP
>>FIN/RST (hint of firewall problem) or a SYN+ACK timeout (hint of routing problem).
>
>>> I suppose from here I'll try to troubleshoot other things.
>>>
>>> Alternatively, do you think I should try to create an ACL which bypasses any filters or rules to that network?
>>>
>>> -----Original Message-----
>>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On
>>> Behalf Of Matus UHLAR - fantomas
>>> Sent: Thursday, October 10, 2024 3:21 AM
>>> To: squid-users at lists.squid-cache.org
>>> Subject: Re: [squid-users] Unable to access a device over port 4434
>>>
>>> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>> On 09.10.24 19:59, Piana, Josh wrote:
>>>> I'm running into an issue wherein, when using Squid proxy, I'm unable to get to one of our management devices from port 4434.
>>>>
>>>> I've already verified that this device is not blocking access from the proxy directly, and should be allowed to get to the access page.
>>>>
>>>> - When reviewing the access logs, I can see that we're running into a generic 503 error
>>>>
>>>> - When browsing to this page, it will attempt to load for about 30 seconds, and then fail
>>>>
>>>> - The webpage response is a generic "The system returned: (110) Connection timed out"
>>>>
>>>> - When we forgo the proxy, we can access it without an issue
>>>>
>>>> This device is located on a 172.0.0.0/8 internal network.
>>>>
>>>> - Other devices which do NOT use this port are accessible
>>>>
>>>> - Changing the access port is not an option (not up to me)
>>>>
>>>> Access Log entry:
>>>> 09/Oct/2024:15:54:21 -0400.758 10.46.49.190 TCP_MISS/503 4448 GET
>>>> http://0.0.0.172/.
>>>> 0.0.27%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b118e55c63c42ed3
>>>> d
>>>> e908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864206
>>>> 7
>>>> 356048064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
>>>> I
>>>> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=JIO8AKoz7QPe1%2BD
>>>> G
>>>> Mza7mltOnSfvf2eHAEfubJx%2FLaY%3D&reserved=0
>>>> .46.253%3A4434%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cad6b9a6df
>>>> 5
>>>> da
>>>> 44a2b73508dce8fc1971%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63
>>>> 8
>>>> 64
>>>> 1416681623895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
>>>> l
>>>> uM
>>>> zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=G%2FrqNK0o%2Bdk
>>>> 0
>>>> ia
>>>> zrnMhbyTvL0RmZAK27lulhMBhPMDU%3D&reserved=0 jpiana \
>>>> HIER_DIRECT/172.27.46.253 text/html ERR_CONNECT_FAIL/WITH_SERVER
>>>
>>>
>>> I guess the correct URL is:
>>> http://0.0.0.172/.
>>> 0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
>>> 708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
>>> 94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
>>> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVmn
>>> JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
>>> 7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b1
>>> 1
>>> 8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7
>>> C
>>> 0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
>>> J
>>> QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShvv
>>> J
>>> uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
>>>
>>> have you tried running following directly from the squid machine?
>>>
>>> wget -Y off
>>> http://0.0.0.172/.
>>> 0.0.2%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cbe640e58abb84d3ec7f
>>> 708dcedd977d5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386467654
>>> 94971970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
>>> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VCIibDWPw4CffgvrVmn
>>> JBf3lzGIYjpRxRq7%2Bbai4dCM%3D&reserved=0
>>> 7.46.253%3A4434%2Fjpiana&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1b1
>>> 1
>>> 8e55c63c42ed3de908dce99396c5%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7
>>> C
>>> 0%7C638642067356204330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
>>> J
>>> QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nRShvv
>>> J
>>> uN7mqiILEdnHF6POw6I9kOZh0fX9QiO87bXY%3D&reserved=0
>>>
>>>
>>> Because ERR_CONNECT_FAIL/WITH_SERVER and "Connection timed out" both say that the squid was unable to open connection to server.
>>>
>>> which is not a squid issue but network connection issue.
>
>--
>Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton _______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>https://lists.squid-cache.org/listinfo/squid-users
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>https://lists.squid-cache.org/listinfo/squid-users
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
More information about the squid-users
mailing list