Dear Adam,

Try

echo 0 > /proc/sys/net/ipv4/tcp_ecn on the squid box
may be this could help.

----- Original Message -----
From: "Adam"
To:
Sent: Saturday, February 28, 2004 6:46 AM
Subject: [squid-users] site works unproxied but "conn reset by peer" via
squid


> Hello,
>
> We have a problem for which I was unable to find an explanation or

solution
> via the list archives or FAQ: We are able to access the site
> www.calottery.com (don't ask - we just support the users unproxied
> (directly through our Pix firewall) but when going through our Squid
> 2.5STABLE3 proxy it takes forever to time out, then gives this error:
> "While trying to retrieve the URL: http://www.calottery.com/
> The following error was encountered:
> Read Error
> The system returned: (131) Connection reset by peer
> An error condition occurred while reading data from the network "
>
> Their server is running IIS 5 per netcraft and the site of the people who
> did their site for them (and I think host it) also fails: www.jel.net.
> Hitting sub-links like
> http://www.calottery.com/images/game...rlottoplus.asp or
> just /images pulls up responses so their server works and our server can
> talk to them. Perhaps it is something with their ASP pages but then if

that
> is the case I am wondering why Squid can't talk to them
>
> Checking the archives, most "connection reset by peer" posts resolve with
> "ignore them." As to the FAQ, 11.41 also says this and says that if

this
> is a M$oft server then the server may just be really busy. If that were

the
> case, why would it be very zippy unproxied? 17.10 looks interesting but I
> have been assured that we are not using Cisco policy routing so don't

think
> it applies. For the record, the Pix guy also said that we have no "fixup"
> (e.g. to adjust destination port addresses) and no filter (we are not
> filtering Active X or anything
>
> It used to work and it's a pretty vanilla installation. We have about

2000
> users and 99% of the other sites are working fine. Everyone has the

proxy's
> address hardcoded in their browser and the proxy goes out directly (no
> peers/parents). The only non-standard thing I can think of that we do

is
> I use the tcp_outgoing_address to split half our VLANs onto one T1 and the
> other half onto the other. This is quite old and we haven't changed
> anything on Squid in a while. The only change we've made since this broke
> Feb 5th is we switched from a Checkpoint Firewall to the Pix firewall (no
> content-engines, just the firewall). So I searched for that as that is

the
> only new change but searching for Pix shows problems with WCCP and
> Transparent proxying but we are using neither. Furthermore we are using
> Solaris 2.8 on an Ultra 60 so the ECN problems I also saw wouldn't seem to
> apply. Some issue on routing came up so I am asking the network group to
> look into routing but if we can get so some sub-pages (see below) and the
> whole site unproxied, I don't think that is the issue.
>
> I am 1 rev behind Stable3 instead of 4, but I didn't see anything specific
> to this kind of problem in the change_log, except possibly :
> "Bug #699: Host header now forwarded exactly where it was in the original
> request to work around certain broken firewalls or load balancers which
> fail if this header is too far into the request headers." I am not

enough
> of an expert to know if that is the fix or not and will try up-revving if
> you think that might work but I don't think that is the source of the
> problem. Then again I am stumped so willing to try anything (we have a

DEV
> Squid proxy that is identical to the other, so I am working on that. I
> tried clearing the cache (echo "" > swap.state method) and adding
> calottery.com to the notcached directive (restarting each time) and both
> failed to resolve the problem.
>
> Anyhow sorry for the lengthy post but I wanted to be clear on what I had
> checked and what I have. So if you have any ideas or suggestions, I

would
> be most appreciative.
>
> thanks,
>
> Adam
>