Hello, We have a problem for which I was unable to find an explanation or solution via the list archives or FAQ: We are able to access the site www.calottery.com (don't ask - we just support the users :) unproxied (directly through our Pix firewall) but when going through our Squid 2.5STABLE3 proxy it takes forever to time out, then gives this error: "While trying to retrieve the URL: http://www.calottery.com/ The following error was encountered: Read Error The system returned: (131) Connection reset by peer An error condition occurred while reading data from the network "
Their server is running IIS 5 per netcraft and the site of the people who did their site for them (and I think host it) also fails: www.jel.net. Hitting sub-links like http://www.calottery.com/images/games/superlottoplus/superlottoplus.asp or just /images pulls up responses so their server works and our server can talk to them. Perhaps it is something with their ASP pages but then if that is the case I am wondering why Squid can't talk to them Checking the archives, most "connection reset by peer" posts resolve with "ignore them." As to the FAQ, 11.41 also says this and says that if this is a M$oft server then the server may just be really busy. If that were the case, why would it be very zippy unproxied? 17.10 looks interesting but I have been assured that we are not using Cisco policy routing so don't think it applies. For the record, the Pix guy also said that we have no "fixup" (e.g. to adjust destination port addresses) and no filter (we are not filtering Active X or anything It used to work and it's a pretty vanilla installation. We have about 2000 users and 99% of the other sites are working fine. Everyone has the proxy's address hardcoded in their browser and the proxy goes out directly (no peers/parents). The only non-standard thing I can think of that we do is I use the tcp_outgoing_address to split half our VLANs onto one T1 and the other half onto the other. This is quite old and we haven't changed anything on Squid in a while. The only change we've made since this broke Feb 5th is we switched from a Checkpoint Firewall to the Pix firewall (no content-engines, just the firewall). So I searched for that as that is the only new change but searching for Pix shows problems with WCCP and Transparent proxying but we are using neither. Furthermore we are using Solaris 2.8 on an Ultra 60 so the ECN problems I also saw wouldn't seem to apply. Some issue on routing came up so I am asking the network group to look into routing but if we can get so some sub-pages (see below) and the whole site unproxied, I don't think that is the issue. I am 1 rev behind Stable3 instead of 4, but I didn't see anything specific to this kind of problem in the change_log, except possibly : "Bug #699: Host header now forwarded exactly where it was in the original request to work around certain broken firewalls or load balancers which fail if this header is too far into the request headers." I am not enough of an expert to know if that is the fix or not and will try up-revving if you think that might work but I don't think that is the source of the problem. Then again I am stumped so willing to try anything (we have a DEV Squid proxy that is identical to the other, so I am working on that. I tried clearing the cache (echo "" > swap.state method) and adding calottery.com to the notcached directive (restarting each time) and both failed to resolve the problem. Anyhow sorry for the lengthy post but I wanted to be clear on what I had checked and what I have. So if you have any ideas or suggestions, I would be most appreciative. thanks, Adam
