Re: [squid-users] TCP MISS 502

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 29 Mar 2010 19:47:06 +1300

Ivan . wrote:
> Some even more strange access.log entries?
>
> This is odd? Does that mean no DNS record? strange as both squid's use
> the same DNS setup, with a primary, secondary and tertiary setup.
> 1269833940.167 0 127.0.0.1 NONE/400 1868 GET
> www.environment.gov.au - NONE/- text/html
>
> 1269833960.464 60997 10.132.17.30 TCP_MISS/000 0 GET
> http://www.environment.gov.au/ - DIRECT/155.187.3.81 -
>
> 1269834108.182 120002 127.0.0.1 TCP_MISS/000 0 GET
> http://www.environment.gov.au - DIRECT/155.187.3.81 -
>
> This one is new?
> 1269842635.028 295660 10.143.254.22 TCP_MISS/502 2514 GET
> http://www.environment.gov.au/ - DIRECT/155.187.3.81 text/html
>

The TCP_MISS/000 are another version of the READ_ERROR you are receiving
as TCP_MISS/502. The 000 ones are on the client facing side though, the
TCP link read failing before the request headers are finished being
received from the client.
   The first line is received (to get the URL) but not the rest of the
request headers.

The NONE/400 might be yet another version of the read failing at some
point of processing. It's hard to say.

Something is definitely very screwed at the TCP protocol level for those
requests.

Amos

>
>
> On Mon, Mar 29, 2010 at 4:56 PM, Ivan . <ivanhec_at_gmail.com> wrote:
>> Hi Amos
>>
>> You can see the tcp_miss in the access.log here:-
>>
>> 1269834108.182 120002 127.0.0.1 TCP_MISS/000 0 GET
>> http://www.environment.gov.au - DIRECT/155.187.3.81 -
>>
>> Here is a tcpdump output from the connection. You can see the TCP
>> handshake setup and then the http session just hangs? I have confirmed
>> with the website admin these are no ddos type protection, which would
>> block multiple requests in quick succession.
>>
>> The tcp connection times out and then resets.
>>
>> [root_at_squid-proxy ~]# tcpdump net 155.187.3
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 16:58:59.369482 IP xxx.xxxx.xxx.xxx.41338 > 155.187.3.81.http: S
>> 1781942738:1781942738(0) win 5840 <mss 1460,sackOK,timestamp
>> 1321171542 0,nop,wscale 7>
>> 16:58:59.418150 IP 155.187.3.81.http > xxx.xxxx.xxx.xxx.41338: S
>> 2343505326:2343505326(0) ack 1781942739 win 32768 <mss 1460,nop,wscale
>> 0,nop,nop,timestamp 234270252 1321171542,sackOK,eol>
>> 16:58:59.418167 IP xxx.xxxx.xxx.xxx.41338 > 155.187.3.81.http: . ack 1
>> win 46 <nop,nop,timestamp 1321171591 234270252>
>> 16:58:59.418213 IP xxx.xxxx.xxx.xxx.41338 > 155.187.3.81.http: P
>> 1:696(695) ack 1 win 46 <nop,nop,timestamp 1321171591 234270252>
>> 16:58:59.477692 IP 155.187.3.81.http > xxx.xxxx.xxx.xxx.41338: P
>> 2897:4081(1184) ack 696 win 33304 <nop,nop,timestamp 234270307
>> 1321171591>
>> 16:58:59.477700 IP xxx.xxxx.xxx.xxx.41338 > 155.187.3.81.http: . ack 1
>> win 46 <nop,nop,timestamp 1321171650 234270252,nop,nop,sack 1
>> {2897:4081}>
>>
>>
>> cheers
>> Ivan
>>
>> On Mon, Mar 29, 2010 at 3:59 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> Ivan . wrote:
>>>> Hi,
>>>>
>>>> What would cause a TCP MISS 502, which would prevent a site from
>>>> loading? The site works on squidv3.0 but not on v2.6?
>>>>
>>> Any one of quite a few things. The ERR_READ_ERROR result means the remote
>>> server or network is closing the TCP link on you for some unknown reason.
>>>
>>> Why it works in 3.0 is as much a mystery as why it does not in 2.6 until
>>> details of the traffic on Squid->Server TCP link are known.
>>>
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
>>> Current Beta Squid 3.1.0.18
>>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Mon Mar 29 2010 - 06:47:17 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 29 2010 - 12:00:06 MDT