Re: [squid-users] Unable to access a website through Suse/Squid.
Hi Terry, > I will have to look into ip tables. I can add static routes via the > interface card which are permanent, however doing it this way doesn't > give me any options for mss, mtu, etc.. All I can enter this way is > Source, Destination, Gateway. I guess you mean using /etc/sysconfig/network/routes? I'm not sure if you can provide any options there. Another way would be to create your own script which sets up additional routing. Use /etc/init.d/skeleton as a template and create a script (e.g. called /etc/init.d/routes) which contains the commands for setting the routes. Then make sure the symbolic links for starting and stopping the script are created in the runlevel directories: insserv /etc/init.d/routes The script has to be started after the network script, so the names of the symbolic links should start with S06 or higher numbers (the links for the network script are called S05network). For more information, have a look at the man page of init.d (man init.d) which describes the SUSE boot concept. If you have any problems, feel free to contact me off-list (as this is not a Squid-related topic). Regards, Peter -- Peter Albrecht [EMAIL PROTECTED] Open Source School GmbH Tel: +49-89-287793-83 Amalienstraße 45 RG Mob: +49-173-3528664 80799 München Fax: +49-89-287555-63 HRB 172645 - Amtsgericht München Geschäftsführer: Peter Albrecht, Dr. Markus Wirtz
RE: [squid-users] Unable to access a website through Suse/Squid.
lör 2008-04-05 klockan 10:11 -0400 skrev Terry Dobbs: > The internet line is DSL, and does use a username/password (PPoE). > However, on the actual DSL router (provided by ISP) I don't see any MTU > options. PPPoE means a lower MTU than the internet default of 1500, so any sites not capable of performing Path MTU discovery properly will fail to communicate with you. Path MTU problems is still quite common, especially with people running homegrown firewalls where they add a simple "drop all ICMP traffic, people should not ping us" rule, forgetting that TCP/IP also makes significant use of ICMP.. > I will have to look into ip tables. I can add static routes via the > interface card which are permanent, however doing it this way doesn't > give me any options for mss, mtu, etc.. All I can enter this way is > Source, Destination, Gateway. You can try the following iptables rule: iptables -t mangle -A OUTPUT -o outinterface -j TCPMSS --set-mss 1440 Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
The internet line is DSL, and does use a username/password (PPoE). However, on the actual DSL router (provided by ISP) I don't see any MTU options. I will have to look into ip tables. I can add static routes via the interface card which are permanent, however doing it this way doesn't give me any options for mss, mtu, etc.. All I can enter this way is Source, Destination, Gateway. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2008 6:19 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. fre 2008-04-04 klockan 13:56 -0400 skrev Terry Dobbs: > Thanks so much, the advmss worked like a charm. How do I make it so this > route stays there? When I restart networking it seems to vanish. Some things first.. you should figure out if the MTU is local or remote. As it's mostly you having issues I would suspect it's local. In such case you should have a lower mss on the default route to make TCP/IP work better. How are you connected to the Internet? ADSL with PPPoE, or some other tunneling method which has a lover MTU than the default 1500? How to set the routing is quite distribution dependent, and I am not very familiar with SuSE. But on the good side you can use iptables to acheive the same thing, or maybe rules in your router. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
fre 2008-04-04 klockan 13:56 -0400 skrev Terry Dobbs: > Thanks so much, the advmss worked like a charm. How do I make it so this > route stays there? When I restart networking it seems to vanish. Some things first.. you should figure out if the MTU is local or remote. As it's mostly you having issues I would suspect it's local. In such case you should have a lower mss on the default route to make TCP/IP work better. How are you connected to the Internet? ADSL with PPPoE, or some other tunneling method which has a lover MTU than the default 1500? How to set the routing is quite distribution dependent, and I am not very familiar with SuSE. But on the good side you can use iptables to acheive the same thing, or maybe rules in your router. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Thanks so much, the advmss worked like a charm. How do I make it so this route stays there? When I restart networking it seems to vanish. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2008 1:13 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. tor 2008-04-03 klockan 12:36 -0400 skrev Terry Dobbs: > Also, the second command gives me an error and says "mss" is a garbage. Sorry, should be advmss /sbin/ip route add 63.148.24.5 via your.internet.gateway advmss 496 to replace an already existing route use replace instead of add.. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
tor 2008-04-03 klockan 12:36 -0400 skrev Terry Dobbs: > Also, the second command gives me an error and says "mss" is a garbage. Sorry, should be advmss /sbin/ip route add 63.148.24.5 via your.internet.gateway advmss 496 to replace an already existing route use replace instead of add.. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
I tried adding the first route, but it didn't seem to make a difference. The ethereal capture still shows my squid box sending window size of 1460? Do I need to restart networking to take effect, when I do this it wipes out the route? Also, the second command gives me an error and says "mss" is a garbage. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 7:44 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. ons 2008-04-02 klockan 15:43 -0400 skrev Terry Dobbs: > Ok folks, here is my packet capture; I included only the transmissions > between the 2 relevant devices (SUSE Server and the problematic > website). The capture looks very much like the issues seen by window scaling, but there is no window in scaling in this trace... A bit confused.. Guessing wildly here, but my first action would be to upgrade the kernel just in case it's a known tcp problem which has been worked around already.. Another thing you can try is to decrease the window size to a very small size /sbin/ip route add 63.148.24.5 via your.internet.gateway window 1480 this isn't optimal for performance, but may work around certain broken firewalls if there is packet reordering at play.. You can also try lowering the MSS, in case there is a MTU blackhole... /sbin/ip route add 63.148.24.5 via your.internet.gateway mss 496 Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
ons 2008-04-02 klockan 15:43 -0400 skrev Terry Dobbs: > Ok folks, here is my packet capture; I included only the transmissions > between the 2 relevant devices (SUSE Server and the problematic > website). The capture looks very much like the issues seen by window scaling, but there is no window in scaling in this trace... A bit confused.. Guessing wildly here, but my first action would be to upgrade the kernel just in case it's a known tcp problem which has been worked around already.. Another thing you can try is to decrease the window size to a very small size /sbin/ip route add 63.148.24.5 via your.internet.gateway window 1480 this isn't optimal for performance, but may work around certain broken firewalls if there is packet reordering at play.. You can also try lowering the MSS, in case there is a MTU blackhole... /sbin/ip route add 63.148.24.5 via your.internet.gateway mss 496 Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Hi, I got the capture working, and sent you the file earlier on. When I tried sending it to the list it kept bouncing back. It is very small, and I zipped it up. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 5:54 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. ons 2008-04-02 klockan 11:56 -0400 skrev Terry Dobbs: > Also, when running ethereal it doesn't seem to be capturing web traffic, > catching lots of ARP, but nothing web related. When running on Windows > behind the SUSE box I can capture web traffic, is there something > obvious I am missing here? Should just work. Try capturing on the "Any" interface, in case traffic isn't going the direction you think.. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
ons 2008-04-02 klockan 11:56 -0400 skrev Terry Dobbs: > Also, when running ethereal it doesn't seem to be capturing web traffic, > catching lots of ARP, but nothing web related. When running on Windows > behind the SUSE box I can capture web traffic, is there something > obvious I am missing here? Should just work. Try capturing on the "Any" interface, in case traffic isn't going the direction you think.. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Hey, I did the command you mentioned and it didn't seem to make a difference. Is there anything special I need to do after running the command. Also, when running ethereal it doesn't seem to be capturing web traffic, catching lots of ARP, but nothing web related. When running on Windows behind the SUSE box I can capture web traffic, is there something obvious I am missing here? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 7:07 PM To: Terry Dobbs Cc: J Beris; squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. tis 2008-04-01 klockan 18:00 -0400 skrev Terry Dobbs: > Would you want the trace from the squid server, or from a client behind > the squid server? > > Also, the TCP scaling fix, it was just to add a record to the file > right? > > Also, I tried doing the window scaling again. Is it just as simple as > creating the file "tcp_default_win_scale" in /proc/sys/net/ipv4? The simplest way to test if it's window scaling biting the host (or to be correct it's firewall) is to disable window scaling. echo 0 >/proc/sys/net/ipv4/tcp_window_scaling The sysctls have changed somewhat since the lwn.net article was written many years ago. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
> I tried connecting from a machine running openSUSE 10.3 (without going > through a proxy). There is something weird in the first reply from the > server in the TCP section of the package analysis: I just tried the same thing, fired up openSUSE 10.3 on a laptop, no proxy. Started Wireshark and did a capture. > TCP Analysis Flags: A segment before this frame was lost > > In the following frames I see: > > This frame is a (suspected) retransmission > > And then the connection stops. No idea what that means, though. Maybe > that > helps. I also get a few (suspected) retransmissions, but the page loads normally in Firefox. Don't think those retransmissions point to anything really serious, though. Not serious enough to mess up the loading of the page. After all, the packets were retransmitted and then arrived. Most likely somewhere there is a lack of bandwidth, probably the origin server. Maybe the origin server sometimes suffers under high utilization or lacks bandwidth severely enough to cause empty replies? > Well, that seems to be a strong hint that something is wrong with this > server. Could you try from another Linux distribution to rule out it's > a bug in openSUSE? I doubt it's a bug in openSUSE. We'd be seeing this with more websites then. It's more likely either something at the origin server...or something at Terry's setup which we haven't identified (yet). I've been using openSUSE 10.2 and 10.3 both since they were released. Haven't had problems with sites not loading or sending empty replies. HTH, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
Re: [squid-users] Unable to access a website through Suse/Squid.
Hi Terry, > Yea, im lost on this one. Ethereal doesn't show anything strange, just > the initial connection request, just doesn't seem to get anything back. I tried connecting from a machine running openSUSE 10.3 (without going through a proxy). There is something weird in the first reply from the server in the TCP section of the package analysis: TCP Analysis Flags: A segment before this frame was lost In the following frames I see: This frame is a (suspected) retransmission And then the connection stops. No idea what that means, though. Maybe that helps. > Doesn't really make sense that only this one site (at least that I know > of) is having this issue. The SUSE firewall is turned off, network card > is configured properly, etc... Well, that seems to be a strong hint that something is wrong with this server. Could you try from another Linux distribution to rule out it's a bug in openSUSE? Regards, Peter -- Peter Albrecht [EMAIL PROTECTED] Open Source School GmbH Tel: +49-89-287793-83 Amalienstraße 45 RG Mob: +49-173-3528664 80799 München Fax: +49-89-287555-63 HRB 172645 - Amtsgericht München Geschäftsführer: Peter Albrecht, Dr. Markus Wirtz
RE: [squid-users] Unable to access a website through Suse/Squid.
tis 2008-04-01 klockan 18:00 -0400 skrev Terry Dobbs: > Would you want the trace from the squid server, or from a client behind > the squid server? The squid server talking to the web site. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
tis 2008-04-01 klockan 18:00 -0400 skrev Terry Dobbs: > Would you want the trace from the squid server, or from a client behind > the squid server? > > Also, the TCP scaling fix, it was just to add a record to the file > right? > > Also, I tried doing the window scaling again. Is it just as simple as > creating the file "tcp_default_win_scale" in /proc/sys/net/ipv4? The simplest way to test if it's window scaling biting the host (or to be correct it's firewall) is to disable window scaling. echo 0 >/proc/sys/net/ipv4/tcp_window_scaling The sysctls have changed somewhat since the lwn.net article was written many years ago. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Would you want the trace from the squid server, or from a client behind the squid server? Also, the TCP scaling fix, it was just to add a record to the file right? Also, I tried doing the window scaling again. Is it just as simple as creating the file "tcp_default_win_scale" in /proc/sys/net/ipv4? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 5:37 PM To: Terry Dobbs Cc: J Beris; squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. tis 2008-04-01 klockan 17:29 -0400 skrev Terry Dobbs: > Yea, im lost on this one. Ethereal doesn't show anything strange, just > the initial connection request, just doesn't seem to get anything back. > > Doesn't really make sense that only this one site (at least that I know > of) is having this issue. The SUSE firewall is turned off, network card > is configured properly, etc... Post the trace somewhere and we may take a look if something can be identified. My bet is still TCP window scaling.. it's the most common source to this problem these days. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
tis 2008-04-01 klockan 17:29 -0400 skrev Terry Dobbs: > Yea, im lost on this one. Ethereal doesn't show anything strange, just > the initial connection request, just doesn't seem to get anything back. > > Doesn't really make sense that only this one site (at least that I know > of) is having this issue. The SUSE firewall is turned off, network card > is configured properly, etc... Post the trace somewhere and we may take a look if something can be identified. My bet is still TCP window scaling.. it's the most common source to this problem these days. Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Yea, im lost on this one. Ethereal doesn't show anything strange, just the initial connection request, just doesn't seem to get anything back. Doesn't really make sense that only this one site (at least that I know of) is having this issue. The SUSE firewall is turned off, network card is configured properly, etc... -Original Message- From: J Beris [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 10:05 AM To: Terry Dobbs; Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. > This is obviously why the squid users cant access. I thought it might > be > a DNS issue, but that's crossed off as I can ping the domain, and it > resolves to correct address. Yes, if you can ping and resolve, it's not DNS related. I'd fire up wireshark/ethereal and grab the communication that way, see if that clears things up a bit more. Like this, it's hard to troubleshoot. Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
> This is obviously why the squid users cant access. I thought it might > be > a DNS issue, but that's crossed off as I can ping the domain, and it > resolves to correct address. Yes, if you can ping and resolve, it's not DNS related. I'd fire up wireshark/ethereal and grab the communication that way, see if that clears things up a bit more. Like this, it's hard to troubleshoot. Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
Yea, I understand that this issue really isn't squid related, just was hoping someone running squid on suse linux has had a similar issue. I am running Suse Linux 10 and I can ping the domain from the server. I just cant browse to it, I get an error box in Mozilla saying "Document contains no data". This is obviously why the squid users cant access. I thought it might be a DNS issue, but that's crossed off as I can ping the domain, and it resolves to correct address. -Original Message- From: J Beris [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 9:36 AM To: Terry Dobbs; Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. > Thanks for checking. Odd, not sure why this wont work here, the only > problem like this that I have had in the few years ive used it. Hi Terry/Henrik, No problem, little effort to click the link :-) I made one small mistake, our proxy runs on openSUSE 10.2, not 10.3 as reported earlier. Which release of openSUSE do you run? Perhaps there's a difference between those 2 versions (although, having used both, I can't think of anything related to this case...) Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
> Thanks for checking. Odd, not sure why this wont work here, the only > problem like this that I have had in the few years ive used it. Hi Terry/Henrik, No problem, little effort to click the link :-) I made one small mistake, our proxy runs on openSUSE 10.2, not 10.3 as reported earlier. Which release of openSUSE do you run? Perhaps there's a difference between those 2 versions (although, having used both, I can't think of anything related to this case...) Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
tis 2008-04-01 klockan 09:28 -0400 skrev Terry Dobbs: > Thanks for checking. Odd, not sure why this wont work here, the only > problem like this that I have had in the few years ive used it. Well.. Squid will only be able to reach the sites you can reach from the server where Squid runs. The site works fine from here, but it's hard to test all possible variables which may make sites fail Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Thanks for checking. Odd, not sure why this wont work here, the only problem like this that I have had in the few years ive used it. -Original Message- From: J Beris [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 3:46 AM To: Henrik Nordstrom; Terry Dobbs Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Unable to access a website through Suse/Squid. > > Can other people here access this site using Suse Linux? Yes, works perfectly here behind a squid-2.6.STABLE6-0.8 proxy on openSUSE 10.3. Both Firefox and IE. > What was the site again? http://www.franklintraffic.com/ Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
> > Can other people here access this site using Suse Linux? Yes, works perfectly here behind a squid-2.6.STABLE6-0.8 proxy on openSUSE 10.3. Both Firefox and IE. > What was the site again? http://www.franklintraffic.com/ Regards, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
RE: [squid-users] Unable to access a website through Suse/Squid.
mån 2008-03-31 klockan 15:31 -0400 skrev Terry Dobbs: > Can other people here access this site using Suse Linux? What was the site again? Regards Henrik
RE: [squid-users] Unable to access a website through Suse/Squid.
Yea, I did stumble across those a few days ago, and tried doing what it said to no avail. Can other people here access this site using Suse Linux? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:15 PM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Unable to access a website through Suse/Squid. mån 2008-03-31 klockan 11:30 -0400 skrev Terry Dobbs: > I have been racking my brain over this one. I am able to ping the > website from the SUSE machine, just cant www to it. Anyone know why this > is? Is it a configuration issue on the server, on the website? There is quite many broken firewalls out on the Internet which falls down when clients & servers have modern TCP/IP implementations such as Linux.. The Squid FAQ has workarounds for most of them. http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-699d810035c099c8b4bff21e12bb365438a21027 and http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-4920199b311ce7d20b9a0d85723fd5d0dfc9bc84 There is more, but these two is the most common ones.. some sites have also been seen having problems with tcp timestamping, but these are very rare today.. Regards Henrik
Re: [squid-users] Unable to access a website through Suse/Squid.
mån 2008-03-31 klockan 11:30 -0400 skrev Terry Dobbs: > I have been racking my brain over this one. I am able to ping the > website from the SUSE machine, just cant www to it. Anyone know why this > is? Is it a configuration issue on the server, on the website? There is quite many broken firewalls out on the Internet which falls down when clients & servers have modern TCP/IP implementations such as Linux.. The Squid FAQ has workarounds for most of them. http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-699d810035c099c8b4bff21e12bb365438a21027 and http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-4920199b311ce7d20b9a0d85723fd5d0dfc9bc84 There is more, but these two is the most common ones.. some sites have also been seen having problems with tcp timestamping, but these are very rare today.. Regards Henrik
