[squid-users] cache kernel: Limiting open port RST response from xxx to 50 packets/sec
Hello: I have some issues with different versions of squid servers on FreeBSD (different versions too). they had been running without any problem, but now I am receiving this kind of message "Limiting open port RST response from xxx to 50 packets/sec". After some messages the performance of the servers decrease suddenly until lose their network connections. I have received commets of some downloader that might cause this behavior, for example, FlashGet. This is my sysctl.conf net.inet.tcp.msl=7500 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.icmp.icmplim=50; It is the limit shown on message kern.ipc.somaxconn=32768 Best Regards. Thanks in advance, Humberto
RE: [squid-users] Problems with WCCP
Thank you so much. I forgot transparent option on http_port, I have another old versions of squid running from long ago and it is not needed that options. -Mensaje original- De: Amos Jeffries [mailto:squ...@treenet.co.nz] Enviado el: Friday, July 10, 2009 10:02 AM Para: Humberto Rodríguez CC: 'Tom Penndorf'; squid-users@squid-cache.org Asunto: Re: [squid-users] Problems with WCCP Humberto Rodríguez wrote: > Yes, I did it in my ipfw rules. I also created 2 gre interfaces for > testing reasons, because the router identifier and the squid gateway > are not the same.I also can see packets between the router and the > server through gre protocol, but the squid server always show > TCP_DENIED/400 1816 GET error:invalid-request - NONE/- text/html. Did you remember to set the transparent or intercept option on http_port? And what does this request headers look like that Squid is complaining about? Amos > I also have installed FreeBSD 6.2-RELEASE and I use wccp v1. > In my router ACL I deny my national traffic and permit any to any in my last > sentence. > > 00048 00 deny tcp from any to x.x.142.199 dst-port 3128 > 00049 00 allow gre from x.x.0.129 to x.x.142.199 > 00050 37687 20281343 allow tcp from x.x.142.199 to any out > 00051 23311168 allow tcp from any 80 to any out > 00052 15210796 allow gre from x.x.142.193 to x.x.142.199 > 00052 00 allow gre from x.x.142.199 to x.x.142.193 > 00054 00 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in > recv gre1 > 00054 152 6968 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in > recv gre0 > 00055 25317177 allow udp from x.x.142.199 to any dst-port 53 > 00056 00 allow tcp from x.x.142.199 to any dst-port 53 > 00057 13322 17236149 allow tcp from any 80 to x.x.142.199 in > 00067 8420 745002 allow tcp from any to any established > 0006816 932 allow ip from any to any via lo0 > 00071 54944800 allow ip from x.x.142.199 to x.x.142.192/28 > 00072 809 102132 allow ip from x.x.142.192/28 to x.x.142.199 > 00081 00 allow ip from x.x.0.129 to x.x.142.199 > 0008226 2080 allow ip from x.x.142.199 to x.x.0.129 > > My gre-tunnels creation: > > ifconfig gre0 create > ifconfig gre0 x.x.142.199 x.x.142.193 netmask 255.255.255.255 up > ifconfig gre0 tunnel x.x.142.199 x.x.142.193 > route delete x.x.142.193 > > ifconfig gre1 create > ifconfig gre1 x.x.142.199 x.x.0.129 netmask 255.255.255.255 up > ifconfig gre1 tunnel x.x.142.199 x.x.0.129 > route delete x.x.0.129 > > Thanks In advance > Humberto > > -Mensaje original- > De: Tom Penndorf [mailto:tpennd...@seibert-media.net] > Enviado el: Thursday, July 09, 2009 1:19 PM > Para: Humberto Rodríguez > CC: squid-users@squid-cache.org > Asunto: Re: [squid-users] Problems with WCCP > > Hello, > > > Am 09.07.2009 um 19:06 schrieb Humberto Rodríguez: > >> Hello: >> >> I have SQUID 2.6.STABLE3 with wccp and a Cisco 3745 router with IOS >> Version 12.3(8)T8. I can see packets between the router and the the >> squid server, I can browse Internet through 3128 port, but I can't >> browse Internet through wccp protocol. >> The router always show me what following: >> >> Global WCCP information: >>Router information: >>Router Identifier: x.x.x.129 >>Protocol Version:1.0 >> >>Service Identifier: web-cache >>Number of Cache Engines: 1 >>Number of routers: 1 >>Total Packets Redirected:4696 >>Redirect access-list:cache >>Total Packets Denied Redirect: 53336 >>Total Packets Unassigned:0 >>Group access-list: -none- >>Total Messages Denied to Group: 0 >>Total Authentication failures: 0 >> 3745-HLG#sh ip wccp web-cache de >> 3745-HLG#sh ip wccp web-cache detail >> WCCP Cache-Engine information: >>Web Cache ID: 0.0.0.0 >>Protocol Version: 0.4 >>State: Usable >>Initial Hash Info: >> >>Assigned Hash Info: >> >>Hash Allotment:256 (100.00%) >>Packets Redirected:0 >>Connect Time: 00:11:01 >> >> 3745-HLG#sh ip wccp web-cache view >>WCCP Route
RE: [squid-users] Problems with WCCP
Yes, I did it in my ipfw rules. I also created 2 gre interfaces for testing reasons, because the router identifier and the squid gateway are not the same.I also can see packets between the router and the server through gre protocol, but the squid server always show TCP_DENIED/400 1816 GET error:invalid-request - NONE/- text/html. I also have installed FreeBSD 6.2-RELEASE and I use wccp v1. In my router ACL I deny my national traffic and permit any to any in my last sentence. 00048 00 deny tcp from any to x.x.142.199 dst-port 3128 00049 00 allow gre from x.x.0.129 to x.x.142.199 00050 37687 20281343 allow tcp from x.x.142.199 to any out 00051 23311168 allow tcp from any 80 to any out 00052 15210796 allow gre from x.x.142.193 to x.x.142.199 00052 00 allow gre from x.x.142.199 to x.x.142.193 00054 00 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv gre1 00054 152 6968 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv gre0 00055 25317177 allow udp from x.x.142.199 to any dst-port 53 00056 00 allow tcp from x.x.142.199 to any dst-port 53 00057 13322 17236149 allow tcp from any 80 to x.x.142.199 in 00067 8420 745002 allow tcp from any to any established 0006816 932 allow ip from any to any via lo0 00071 54944800 allow ip from x.x.142.199 to x.x.142.192/28 00072 809 102132 allow ip from x.x.142.192/28 to x.x.142.199 00081 00 allow ip from x.x.0.129 to x.x.142.199 0008226 2080 allow ip from x.x.142.199 to x.x.0.129 My gre-tunnels creation: ifconfig gre0 create ifconfig gre0 x.x.142.199 x.x.142.193 netmask 255.255.255.255 up ifconfig gre0 tunnel x.x.142.199 x.x.142.193 route delete x.x.142.193 ifconfig gre1 create ifconfig gre1 x.x.142.199 x.x.0.129 netmask 255.255.255.255 up ifconfig gre1 tunnel x.x.142.199 x.x.0.129 route delete x.x.0.129 Thanks In advance Humberto -Mensaje original- De: Tom Penndorf [mailto:tpennd...@seibert-media.net] Enviado el: Thursday, July 09, 2009 1:19 PM Para: Humberto Rodríguez CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Problems with WCCP Hello, Am 09.07.2009 um 19:06 schrieb Humberto Rodríguez: > > Hello: > > I have SQUID 2.6.STABLE3 with wccp and a Cisco 3745 router with IOS > Version 12.3(8)T8. I can see packets between the router and the the > squid server, I can browse Internet through 3128 port, but I can't > browse Internet through wccp protocol. > The router always show me what following: > > Global WCCP information: >Router information: >Router Identifier: x.x.x.129 >Protocol Version:1.0 > >Service Identifier: web-cache >Number of Cache Engines: 1 >Number of routers: 1 >Total Packets Redirected:4696 >Redirect access-list:cache >Total Packets Denied Redirect: 53336 >Total Packets Unassigned:0 >Group access-list: -none- >Total Messages Denied to Group: 0 >Total Authentication failures: 0 > 3745-HLG#sh ip wccp web-cache de > 3745-HLG#sh ip wccp web-cache detail > WCCP Cache-Engine information: >Web Cache ID: 0.0.0.0 >Protocol Version: 0.4 >State: Usable >Initial Hash Info: > >Assigned Hash Info: > >Hash Allotment:256 (100.00%) >Packets Redirected:0 >Connect Time: 00:11:01 > > 3745-HLG#sh ip wccp web-cache view >WCCP Routers Informed of: >-none- > >WCCP Cache Engines Visible: >x.x.x.199 > >WCCP Cache Engines NOT Visible: >-none- > > > > > __ Information from ESET NOD32 Antivirus, version of virus > signature database 4228 (20090709) __ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > did you setup an gre-tunnel between Router and Caching-Machine? Is the port 80 forwarded to 3128? Set it up on the squid machine like described in this article: http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 I think the router setup is ok, but also see this article: http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoIOSv12Wccp Tom __ Information from ESET NOD32 Antivirus, version of virus signature database 4229 (20090709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
[squid-users] Problems with WCCP
Hello: I have SQUID 2.6.STABLE3 with wccp and a Cisco 3745 router with IOS Version 12.3(8)T8. I can see packets between the router and the the squid server, I can browse Internet through 3128 port, but I can't browse Internet through wccp protocol. The router always show me what following: Global WCCP information: Router information: Router Identifier: x.x.x.129 Protocol Version:1.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:4696 Redirect access-list:cache Total Packets Denied Redirect: 53336 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 3745-HLG#sh ip wccp web-cache de 3745-HLG#sh ip wccp web-cache detail WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:0 Connect Time: 00:11:01 3745-HLG#sh ip wccp web-cache view WCCP Routers Informed of: -none- WCCP Cache Engines Visible: x.x.x.199 WCCP Cache Engines NOT Visible: -none- __ Information from ESET NOD32 Antivirus, version of virus signature database 4228 (20090709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
[squid-users] squid (Software caused connection abort)
Hi everybody: My squid server sometimes give me connections problems, after the execution of periodic daily in my cache logs appear this lines: Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_select: kevent failure: (9) Bad file descriptor Mar 12 03:01:11 ac-ciencia squid[662]: Select loop Error. Retry 1 Please help me "All that we are is the result of what we have thought."
RE: [squid-users] squid (Software caused connection abort)
Hi every body: My squid server sometimes give me connections problems, after the execution of periodic daily in my cache logs appear this lines: Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_accept: FD 16: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: httpAccept: FD 16: accept failure: (53) Software caused connection abort Mar 12 03:01:11 ac-ciencia squid[662]: comm_select: kevent failure: (9) Bad file descriptor Mar 12 03:01:11 ac-ciencia squid[662]: Select loop Error. Retry 1 Please help me "All that we are is the result of what we have thought." -Mensaje original- De: Saul Waizer [mailto:[EMAIL PROTECTED] Enviado el: viernes, 14 de marzo de 2008 13:15 Para: squid-users@squid-cache.org CC: [EMAIL PROTECTED] Asunto: Re: [squid-users] Need Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adnan, please reply to the mailing list too. Look into X-Forwarded-For, you need to recompile squid with that option and add the x-forwarded... lines to squid.conf Hope it helps Saul W Adnan Shahzad wrote: > i am using 2.6 Stable version of Squid > > M.Adnan Shahzad > System Administrator > Information Technology Services Centre Lahore University of Management > Sciences(LUMS) Opposite Sector U, DHA Lahore 54792, PAKISTAN > Website: http://www.lums.edu.pk > Ph: +92-42-5722670-79 Ext 4138 > > From: saul waizer [EMAIL PROTECTED] > Sent: Thursday, March 13, 2008 11:10 PM > To: 'Adnan Shahzad' > Subject: RE: [squid-users] Need Help > > Which version of squid do you have? > > -Original Message- > From: Adnan Shahzad [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 13, 2008 12:45 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Need Help > > Dear Sir, > > i am working in a company, Pakistan. My Network setting is > > Squid Machine ---> Packeeter (Hardware for Bandwidth Management > (With out NATing)) -> F5 (aggreated internet connection (With > out NATing) > ) > Router (NATing) > > i want to configure Squid with dansguardian for content filter. but > problem which i am facing is that squid do NAT and don't forward > Client IP. Which i want to forward client IP to Packeeter and squid do > cache, log and content filtering job. But i am facing this problem and > i study lots of Document and no success so Please guide me and Help me to resolve this problem. > > looking forward to your positive response. > > Regards > > M.Adnan Shahzad > System Administrator > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.21.7/1328 - Release Date: > 3/13/2008 > 11:31 AM > > > No virus found in this outgoing message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.21.7/1328 - Release Date: > 3/13/2008 > 11:31 AM > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH2rKNAcr37anguZsRApsHAJsGK2xxpOUte00H4rHl6rZVe+DQPQCeJzYh 8udDJj1X23soLTulQuDoswE= =ALfi -END PGP SIGNATURE- __ NOD32 2947 (20080314) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [squid-users] Problem with router
Thanks for your answer, I'll try "All that we are is the result of what we have thought." -Mensaje original- De: Amos Jeffries [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 12 de diciembre de 2007 17:08 Para: humberto CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Problem with router > Hi all; > > I have SQUID 2.6.STABLE1 with wccp. In a Cisco router a receive a message: > Pleass try 2.6stable17. Amos > 3745-STGO#show ip wccp web-cache de > WCCP Cache-Engine information: > Web Cache ID: 0.0.0.0 > Protocol Version: 0.4 > State: Usable > Initial Hash Info: > > Assigned Hash Info: > > Hash Allotment:256 (100.00%) > Packets Redirected:454 > Connect Time: 00:05:12 > > > > And the navigation is not permit. > > Regards > Humberto > > > "All that we are is the result of what we have thought." > > __ NOD32 2719 (20071212) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
[squid-users] Problem with router
Hi all; I have SQUID 2.6.STABLE1 with wccp. In a Cisco router a receive a message: 3745-STGO#show ip wccp web-cache de WCCP Cache-Engine information: Web Cache ID: 0.0.0.0 Protocol Version: 0.4 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:454 Connect Time: 00:05:12 And the navigation is not permit. Regards Humberto "All that we are is the result of what we have thought."
[squid-users] Problems with proxy request
Hi All, How can I disables proxy request in squid 2.6.x without disables ICP query. In 2.5.x version exists the option "httpd_accel_with_proxy off" it disables proxy-request and ICP. thanks "All that we are is the result of what we have thought." -Mensaje original- De: Monah Baki [mailto:[EMAIL PROTECTED] Enviado el: viernes, 23 de noviembre de 2007 9:45 Para: squid-users@squid-cache.org Asunto: [squid-users] Access.log Hi all, How can have the access.log display the source of the client IP using my proxy server rather than the IP address of the proxy itself. Thanks BSD Networking, Microsoft Notworking __ NOD32 2681 (20071123) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com __ NOD32 2688 (20071127) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [squid-users] Access.log
Hi All, How can I disables proxy request in squid 2.6.x without disables ICP query. In 2.5.x version exists the option "httpd_accel_with_proxy off" it disables proxy-request and ICP. thanks "All that we are is the result of what we have thought." -Mensaje original- De: Monah Baki [mailto:[EMAIL PROTECTED] Enviado el: viernes, 23 de noviembre de 2007 9:45 Para: squid-users@squid-cache.org Asunto: [squid-users] Access.log Hi all, How can have the access.log display the source of the client IP using my proxy server rather than the IP address of the proxy itself. Thanks BSD Networking, Microsoft Notworking __ NOD32 2681 (20071123) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [squid-users] Don't use cache_parent for a specific IP destination ?
With this option (always_direct) and ACLs you can solve your problem always_direct # Usage: always_direct allow|deny [!]aclname ... # # Here you can use ACL elements to specify requests which should # ALWAYS be forwarded directly to origin servers. For example, # to always directly forward requests for local servers use # something like: # # acl local-servers dstdomain my.domain.net # always_direct allow local-servers Bye "All that we are is the result of what we have thought." -Mensaje original- De: Network Operation Center [mailto:[EMAIL PROTECTED] Enviado el: lunes, 19 de noviembre de 2007 11:09 Para: squid-users@squid-cache.org Asunto: [squid-users] Don't use cache_parent for a specific IP destination ? Hi i use squid with two cache_parent into the configuration file. Can i said to my squid that for a specifique destination IP, he don't use cache_parent and connect directly to the destination ? thanks bye __ NOD32 2667 (20071119) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
[squid-users] squid with proxy problem
Hi: I have squid 2.5.STABLE9 installed and I use WCCPv1 in Cisco router to redirect www traffic, my operating system is FreeBSD 5.3 with IPFW. My problems starts when in client´s browsers appear a proxy with port 80 configured, I need this client browse some networks but with this options they may browse every thing. I need an option that may me ignore these type of request (proxy port 80) because the router redirect this traffic. I know with the use of ACL is possible to restrict de access but this is not my point. thanks Humberto please excuse my English. "All that we are is the result of what we have thought."