Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
On Sat, Nov 12, 2011 at 12:57 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/11/2011 1:02 a.m., feralert wrote: On Fri, Nov 11, 2011 at 1:22 AM, Amos Jeffriessqu...@treenet.co.nz wrote: On 11/11/2011 4:16 a.m., feralert wrote: As a workaround (thanks to Radoslaw, who came up with the idea) I have done this: I added an entry for www.citibank.com pointing to the working server ip into /etc/hosts, then added hosts_file /etc/hosts into squid.conf. It works for the time being, but is not a final solution. NP: You should not have had to mark /etc/hosts in squid.conf (one less place to undo later), unless the file is in a strange location. I'm not sure if I undestand your tip. Do you mean that I can get rid of /etc/hosts argument to the hosts_file directive because that is actually the default setting for hosts_file?, or you mean that I can get rid of the whole directive since squid already takes into account the entries in /etc/hosts by default? Yes. You should not need the whole line because it is the default value. Removing just the value will tell Squid *not* to use the hosts file at all (or kill Squid with a bungled config, one or the other). Amos Thank you Amos for the explanation and your help. From last Friday both servers pointing to www.citibank.com are answering HTTP 1.0 petitions as they should, and therefore the problem is gone. This confirms it wasn't a squid 2.7 issue but citibank's, although I haven't got confirmation from them because they didn't care to answer my emails. Cheers, Fred.
Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
On 12/11/2011 1:02 a.m., feralert wrote: On Fri, Nov 11, 2011 at 1:22 AM, Amos Jeffriessqu...@treenet.co.nz wrote: On 11/11/2011 4:16 a.m., feralert wrote: As a workaround (thanks to Radoslaw, who came up with the idea) I have done this: I added an entry for www.citibank.com pointing to the working server ip into /etc/hosts, then added hosts_file /etc/hosts into squid.conf. It works for the time being, but is not a final solution. NP: You should not have had to mark /etc/hosts in squid.conf (one less place to undo later), unless the file is in a strange location. I'm not sure if I undestand your tip. Do you mean that I can get rid of /etc/hosts argument to the hosts_file directive because that is actually the default setting for hosts_file?, or you mean that I can get rid of the whole directive since squid already takes into account the entries in /etc/hosts by default? Yes. You should not need the whole line because it is the default value. Removing just the value will tell Squid *not* to use the hosts file at all (or kill Squid with a bungled config, one or the other). Amos
Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
As a workaround (thanks to Radoslaw, who came up with the idea) I have done this: I added an entry for www.citibank.com pointing to the working server ip into /etc/hosts, then added hosts_file /etc/hosts into squid.conf. It works for the time being, but is not a final solution. UNIX is very simple, it just needs a genius to understand its simplicity. -- Dennis Ritchie, D.E.P. On Wed, Nov 9, 2011 at 9:54 PM, feralert feral...@gmail.com wrote: Thanks Amos, A dig to www.citibank.com gives two different ips, changing one for the other after a short period of time, one of them works fine and squid 2.7 is able to get the page and the other one fails. Using tcpdump I have taken captures for both, while using debian package for squid 2.7.stable9, these are the results: In both of them squid sends a GET HTTP/1.0: 1) The one that works replays with a HTTP/1.1 301 Moved Permanently, that TCP session is close and another one is open squid now asking for the new URL, finally being able to retrieve it and serve it fine. 2) The other one doesnt reply at all to the inital GET HTTP/1.0 petition and therefore there are a few TCP retransmissions of it until it receives a FIN,ACK packet from the server. I tried the same but using squid 3.1.6 instead, again in both servers, and it works in both!. The difference being that squid 3.1 instead of sending aGET HTTP/1.0 sends a GET HTTP/1.1, getting the HTTP/1.1 301 response in both cases. So, to the light of these results, is seems that the second server (the one that fails) does not understand/talk HTTP/1.0, dont you think? is this possible?. Thank you, Fred. UNIX is very simple, it just needs a genius to understand its simplicity. -- Dennis Ritchie, D.E.P. On Wed, Nov 9, 2011 at 5:37 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 9/11/2011 12:29 a.m., feralert wrote: Hi all, I'm new on the list so hi everyone and please do excuse my english. And now down to bussiness :) Im having trouble accessing www.citibank.com with squid 2.7. I'm actually trying from two different platforms (Debian Lenny linux box running 2.7.STABLE3 and NetBSD running 2.7.STABLE7), using different connections to the internet and both getting weird results. * ) With the NetBSD machine: What i usually get in the browser is a (110) Connection timed out, and a TCP_MISS/504 in the servers logs. While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Connection to 192.193.219.58 Failed The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. 03:16:39 120355 10.5.5.236 TCP_MISS/504 1454 GET http://www.citibank.com/ - DIRECT/192.193.219.58 text/html But sometimes (ina very few rare occasions) it gets through and I see the following: 1320746405.173 15615 10.5.5.236 TCP_MISS/200 6985 CONNECT metrics1.citibank.com:443 - DIRECT/63.140.40.2 - And in the browser I see that I get redirected to https://online.citibank.com/US/Welcome.c;. From there on I have no trouble surfing the website. Also, if I try go directly to https://online.citibank.com; works every time. * ) With the linux one: With this one I never gotten through (maybe I havent tried as many times), I also get the Connection timed out and TCP_MISS/504, and also aZero Sized Reply and a TCP_MISS/502: The browser shows: While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Zero Sized Reply Squid did not receive any data for this request. And in the logs I get: 03:01:03 150396 10.5.5.236 TCP_MISS/502 1334 GET http://www.citibank.com/ - DIRECT/192.193.103.222 text/html 03:03:35 151215 10.5.5.236 TCP_MISS/504 1477 GET http://www.citibank.com/favicon.ico - DIRECT/192.193.103.222 text/html These seems to be all symptoms of either TCP connection setup problems or ICMP blocking. The Zero Sized Reply hints that it is more likely MTU problems and ICMP blocking somewhere. Where Squid can locate and send data to the server, but nothing comes back (ie the packet sent was too big, but the ICMP reply telling the Squid machine to send smaller packts never got delivered). Amos
Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
On 11/11/2011 4:16 a.m., feralert wrote: As a workaround (thanks to Radoslaw, who came up with the idea) I have done this: I added an entry for www.citibank.com pointing to the working server ip into /etc/hosts, then added hosts_file /etc/hosts into squid.conf. It works for the time being, but is not a final solution. NP: You should not have had to mark /etc/hosts in squid.conf (one less place to undo later), unless the file is in a strange location. Amos
Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
Thanks Amos, A dig to www.citibank.com gives two different ips, changing one for the other after a short period of time, one of them works fine and squid 2.7 is able to get the page and the other one fails. Using tcpdump I have taken captures for both, while using debian package for squid 2.7.stable9, these are the results: In both of them squid sends a GET HTTP/1.0: 1) The one that works replays with a HTTP/1.1 301 Moved Permanently, that TCP session is close and another one is open squid now asking for the new URL, finally being able to retrieve it and serve it fine. 2) The other one doesnt reply at all to the inital GET HTTP/1.0 petition and therefore there are a few TCP retransmissions of it until it receives a FIN,ACK packet from the server. I tried the same but using squid 3.1.6 instead, again in both servers, and it works in both!. The difference being that squid 3.1 instead of sending aGET HTTP/1.0 sends a GET HTTP/1.1, getting the HTTP/1.1 301 response in both cases. So, to the light of these results, is seems that the second server (the one that fails) does not understand/talk HTTP/1.0, dont you think? is this possible?. Thank you, Fred. UNIX is very simple, it just needs a genius to understand its simplicity. -- Dennis Ritchie, D.E.P. On Wed, Nov 9, 2011 at 5:37 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 9/11/2011 12:29 a.m., feralert wrote: Hi all, I'm new on the list so hi everyone and please do excuse my english. And now down to bussiness :) Im having trouble accessing www.citibank.com with squid 2.7. I'm actually trying from two different platforms (Debian Lenny linux box running 2.7.STABLE3 and NetBSD running 2.7.STABLE7), using different connections to the internet and both getting weird results. * ) With the NetBSD machine: What i usually get in the browser is a (110) Connection timed out, and a TCP_MISS/504 in the servers logs. While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Connection to 192.193.219.58 Failed The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. 03:16:39 120355 10.5.5.236 TCP_MISS/504 1454 GET http://www.citibank.com/ - DIRECT/192.193.219.58 text/html But sometimes (ina very few rare occasions) it gets through and I see the following: 1320746405.173 15615 10.5.5.236 TCP_MISS/200 6985 CONNECT metrics1.citibank.com:443 - DIRECT/63.140.40.2 - And in the browser I see that I get redirected to https://online.citibank.com/US/Welcome.c;. From there on I have no trouble surfing the website. Also, if I try go directly to https://online.citibank.com; works every time. * ) With the linux one: With this one I never gotten through (maybe I havent tried as many times), I also get the Connection timed out and TCP_MISS/504, and also aZero Sized Reply and a TCP_MISS/502: The browser shows: While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Zero Sized Reply Squid did not receive any data for this request. And in the logs I get: 03:01:03 150396 10.5.5.236 TCP_MISS/502 1334 GET http://www.citibank.com/ - DIRECT/192.193.103.222 text/html 03:03:35 151215 10.5.5.236 TCP_MISS/504 1477 GET http://www.citibank.com/favicon.ico - DIRECT/192.193.103.222 text/html These seems to be all symptoms of either TCP connection setup problems or ICMP blocking. The Zero Sized Reply hints that it is more likely MTU problems and ICMP blocking somewhere. Where Squid can locate and send data to the server, but nothing comes back (ie the packet sent was too big, but the ICMP reply telling the Squid machine to send smaller packts never got delivered). Amos
[squid-users] TCP_MISS/504 when accesing www.citibank.com
Hi all, I'm new on the list so hi everyone and please do excuse my english. And now down to bussiness :) Im having trouble accessing www.citibank.com with squid 2.7. I'm actually trying from two different platforms (Debian Lenny linux box running 2.7.STABLE3 and NetBSD running 2.7.STABLE7), using different connections to the internet and both getting weird results. * ) With the NetBSD machine: What i usually get in the browser is a (110) Connection timed out, and a TCP_MISS/504 in the servers logs. While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Connection to 192.193.219.58 Failed The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. 03:16:39 120355 10.5.5.236 TCP_MISS/504 1454 GET http://www.citibank.com/ - DIRECT/192.193.219.58 text/html But sometimes (ina very few rare occasions) it gets through and I see the following: 1320746405.173 15615 10.5.5.236 TCP_MISS/200 6985 CONNECT metrics1.citibank.com:443 - DIRECT/63.140.40.2 - And in the browser I see that I get redirected to https://online.citibank.com/US/Welcome.c;. From there on I have no trouble surfing the website. Also, if I try go directly to https://online.citibank.com; works every time. * ) With the linux one: With this one I never gotten through (maybe I havent tried as many times), I also get the Connection timed out and TCP_MISS/504, and also aZero Sized Reply and a TCP_MISS/502: The browser shows: While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Zero Sized Reply Squid did not receive any data for this request. And in the logs I get: 03:01:03 150396 10.5.5.236 TCP_MISS/502 1334 GET http://www.citibank.com/ - DIRECT/192.193.103.222 text/html 03:03:35 151215 10.5.5.236 TCP_MISS/504 1477 GET http://www.citibank.com/favicon.ico - DIRECT/192.193.103.222 text/html Machines are: - Linux box (debian lenny). # squid -v Squid Cache: Version 2.7.STABLE3 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS=' - NetBSD 5.0.2 machine: [root@prometeo ~]# squid -v Squid Cache: Version 2.7.STABLE7 configure options: '--sysconfdir=/usr/pkg/etc/squid' '--localstatedir=/var/squid' '--datarootdir=/usr/pkg/share/squid' '--enable-auth=basic,digest,ntlm' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-icmp' '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-underscores' '--enable-storeio=ufs null aufs coss diskd' '--with-aio' '--enable-ipf-transparent' '--enable-carp' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' '--enable-basic-auth-helpers=getpwnam MSNT NCSA YP PAM' '--enable-digest-auth-helpers=password' '--enable-ntlm-auth-helpers=fakeauth SMB' '--enable-external-acl-helpers=ip_user unix_group' '--prefix=/usr/pkg' '--build=i386--netbsdelf' '--host=i386--netbsdelf' '--mandir=/usr/pkg/man' 'build_alias=i386--netbsdelf' 'host_alias=i386--netbsdelf' 'CC=cc' 'CFLAGS=-O2 -pthread -I/usr/include' 'LDFLAGS=-L/usr/lib -Wl,-R/usr/lib -pthread -Wl,-R/usr/pkg/lib' 'LIBS=' 'CPPFLAGS=-I/usr/include' I can post both squid.conf files if requested. Any hints? Cheers, Fred.
Re: [squid-users] TCP_MISS/504 when accesing www.citibank.com
On 9/11/2011 12:29 a.m., feralert wrote: Hi all, I'm new on the list so hi everyone and please do excuse my english. And now down to bussiness :) Im having trouble accessing www.citibank.com with squid 2.7. I'm actually trying from two different platforms (Debian Lenny linux box running 2.7.STABLE3 and NetBSD running 2.7.STABLE7), using different connections to the internet and both getting weird results. * ) With the NetBSD machine: What i usually get in the browser is a (110) Connection timed out, and a TCP_MISS/504 in the servers logs. While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Connection to 192.193.219.58 Failed The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. 03:16:39 120355 10.5.5.236 TCP_MISS/504 1454 GET http://www.citibank.com/ - DIRECT/192.193.219.58 text/html But sometimes (ina very few rare occasions) it gets through and I see the following: 1320746405.173 15615 10.5.5.236 TCP_MISS/200 6985 CONNECT metrics1.citibank.com:443 - DIRECT/63.140.40.2 - And in the browser I see that I get redirected to https://online.citibank.com/US/Welcome.c;. From there on I have no trouble surfing the website. Also, if I try go directly to https://online.citibank.com; works every time. * ) With the linux one: With this one I never gotten through (maybe I havent tried as many times), I also get the Connection timed out and TCP_MISS/504, and also aZero Sized Reply and a TCP_MISS/502: The browser shows: While trying to retrieve the URL: http://www.citibank.com/ The following error was encountered: Zero Sized Reply Squid did not receive any data for this request. And in the logs I get: 03:01:03 150396 10.5.5.236 TCP_MISS/502 1334 GET http://www.citibank.com/ - DIRECT/192.193.103.222 text/html 03:03:35 151215 10.5.5.236 TCP_MISS/504 1477 GET http://www.citibank.com/favicon.ico - DIRECT/192.193.103.222 text/html These seems to be all symptoms of either TCP connection setup problems or ICMP blocking. The Zero Sized Reply hints that it is more likely MTU problems and ICMP blocking somewhere. Where Squid can locate and send data to the server, but nothing comes back (ie the packet sent was too big, but the ICMP reply telling the Squid machine to send smaller packts never got delivered). Amos
