Squid Hangs With Some Websites
Last Modified: 9-Nov-2007; 23:27 WST; adrian
Some site access through Squid can "hang" whilst direct access to the internet from a desktop machine functions normally.
Background
Various server operating system defaults can interfere with connections to firewalled web services. These features, designed to improve performance, rely on other servers and networks being RFC-compliant which, unfortunately, is not always the case.
These features and issues include:
- ECN - Explicit Congestion Notification (rfc3168); a method for routers along the path to notify that a connection is congested and that TCP should backoff
- Window Scaling - (RFC required) - allowing high throughput TCP connections over higher-latency links (over ~50 milliseconds, so international links or satellite links)
- Path MTU Discovery (RFC required) - determining differing MTUs to default (1500 on ethernet) in the path
Identification
This is currently difficult to identify without using a traffic sniffer such as ethereal or wireshark to identify broken TCP streams.
Resolution
These issues may be due to local firewall policy. Please make sure you are not filtering ICMP and your network MTUs are 1500. Some networking services (eg IPSEC tunnels, most DSL services) use an MTU below 1500.
These features may be disabled to maximise compatibility.
Linux 2.6
- Window Scaling: echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
- Path MTU Discovery: use a default route with a modified MSS below the default of 1460; this forces Linux to use smaller packets - route add default gw [a.b.c.d] mss 1200
- Disable PMTU Discovery: echo "1" > /proc/sys/net/ipv4/ip_no_pmtu_disc
- Disable ECN: echo "0" > /proc/sys/net/ipv4/tcp_ecn