Dear Adam, Try
echo 0 > /proc/sys/net/ipv4/tcp_ecn on the squid box may be this could help. ----- Original Message ----- From: "Adam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 28, 2004 6:46 AM Subject: [squid-users] site works unproxied but "conn reset by peer" via squid > Hello, > > We have a problem for which I was unable to find an explanation or solution > via the list archives or FAQ: We are able to access the site > www.calottery.com (don't ask - we just support the users :) unproxied > (directly through our Pix firewall) but when going through our Squid > 2.5STABLE3 proxy it takes forever to time out, then gives this error: > "While trying to retrieve the URL: http://www.calottery.com/ > The following error was encountered: > Read Error > The system returned: (131) Connection reset by peer > An error condition occurred while reading data from the network " > > Their server is running IIS 5 per netcraft and the site of the people who > did their site for them (and I think host it) also fails: www.jel.net. > Hitting sub-links like > http://www.calottery.com/images/games/superlottoplus/superlottoplus.asp or > just /images pulls up responses so their server works and our server can > talk to them. Perhaps it is something with their ASP pages but then if that > is the case I am wondering why Squid can't talk to them > > Checking the archives, most "connection reset by peer" posts resolve with > "ignore them." As to the FAQ, 11.41 also says this and says that if this > is a M$oft server then the server may just be really busy. If that were the > case, why would it be very zippy unproxied? 17.10 looks interesting but I > have been assured that we are not using Cisco policy routing so don't think > it applies. For the record, the Pix guy also said that we have no "fixup" > (e.g. to adjust destination port addresses) and no filter (we are not > filtering Active X or anything > > It used to work and it's a pretty vanilla installation. We have about 2000 > users and 99% of the other sites are working fine. Everyone has the proxy's > address hardcoded in their browser and the proxy goes out directly (no > peers/parents). The only non-standard thing I can think of that we do is > I use the tcp_outgoing_address to split half our VLANs onto one T1 and the > other half onto the other. This is quite old and we haven't changed > anything on Squid in a while. The only change we've made since this broke > Feb 5th is we switched from a Checkpoint Firewall to the Pix firewall (no > content-engines, just the firewall). So I searched for that as that is the > only new change but searching for Pix shows problems with WCCP and > Transparent proxying but we are using neither. Furthermore we are using > Solaris 2.8 on an Ultra 60 so the ECN problems I also saw wouldn't seem to > apply. Some issue on routing came up so I am asking the network group to > look into routing but if we can get so some sub-pages (see below) and the > whole site unproxied, I don't think that is the issue. > > I am 1 rev behind Stable3 instead of 4, but I didn't see anything specific > to this kind of problem in the change_log, except possibly : > "Bug #699: Host header now forwarded exactly where it was in the original > request to work around certain broken firewalls or load balancers which > fail if this header is too far into the request headers." I am not enough > of an expert to know if that is the fix or not and will try up-revving if > you think that might work but I don't think that is the source of the > problem. Then again I am stumped so willing to try anything (we have a DEV > Squid proxy that is identical to the other, so I am working on that. I > tried clearing the cache (echo "" > swap.state method) and adding > calottery.com to the notcached directive (restarting each time) and both > failed to resolve the problem. > > Anyhow sorry for the lengthy post but I wanted to be clear on what I had > checked and what I have. So if you have any ideas or suggestions, I would > be most appreciative. > > thanks, > > Adam >
