On 3/30/06, Bill Marquette <[EMAIL PROTECTED]> wrote:
I'm running into a small issue with squid on OpenBSD 3.5 (I
know...we're working on our 3.9 build right now) and I'm wondering if
anyone has run into it, or has any suggestions (other than upgrade to
3.9 unless you know the fix is in there for sure).
We've been seeing 503 No route to host errors on https (only) calls
through our squid proxies. After spending some time looking through
pf debug logs, it's apparent that pf still has previous connections in
FIN_WAIT_2 state (verified in code) in the state table on the machine
(while the host itself no longer shows then in netstat). pf is then
blocking the new outbound SYN as it's invalid to go from FIN_WAIT_2 to
SYN_SENT state (duh). What's really wierd about this is that it is
ONLY happening on the CONNECT method, GETs never seem to show this
(which points to something I could possibly fix in squid).
<snip remainder of troubleshooting info>
Someone recently pointed out that I never replied to this thread, so
for the archives, what I did to fix this on my hosts was:
# reap stale states every second instead of every 10 seconds
set timeout interval 1
# no reason to keep closed states in the state table very long
# this covers states that have had the four way teardown or been
# reset. The default of 60 seconds meant that the OS was on
# occasion, trying to reuse ports faster than they'd cleared from
# the state table
set timeout { tcp.closed 1 }
In squid I also set retry_on_error to on (which fixed it w/out the pf
changes). This setting wasn't strictly necessary, the pf timeout
changes fixed the issue.
--Bill
