This is a discussion on Re: [SQU] ASP.NET - squid ; I have had some serious issues with some ASP.NET pages. And I know 4 very large organizations that are asking me why, at the very moment, and to come up with a solution! However, my problem exists through SSL, only, ...
I have had some serious issues with some ASP.NET pages. And I know 4
very large organizations that are asking me why, at the very moment,
and to come up with a solution!
However, my problem exists through SSL, only, as far as I know. The
environment is static and that's the only test I can perform.
However, I have tested ISA 2004 in various configurations, and it seems
that Internet Explorer is sending the ACK FIN flags when the ASP.NET
page bombs with a Server 500 error. I have yet to go through the
packets between SQUID and the next stage of routers (doing that now) to
see if the problem precedes or is SQUID.
I do give props to SQUID though, ISA 2004 was denying connections (no
matter the configuration) and allowing some based on the exact same
rules, thus sending multiple packets with the same SYN and ACKs,
meanwhile IE determines that the proxy fails and gets the SYN/ACK
packets itself, causing retransmission and duplicate packets to be sent
back and forth to the Web Server on the other side of the world. ...
You can only imagine what happens to the firewalls, intrusion detection
alerts the connection is a DOS or Scan via SYN attack, thus
malicious... and it drops the SSL tunnel.
These tests are exhaustive, and I have yet to come up with a solution.
But it seems that the Server 500 error [Access Denied] is coming from
the edge-router (Web Server across the globe) and the SQUID box before
it hits the IE client. This is my final test. If that's the case, I
have NO clue what to do.
Either way, I'm assuming its either an IE bug, ASP.NET 1.0 bug, cpu
over-utilitzation / network stack congestion / pipe saturation and
overall... too much latency.
Squid and ISA probably aren't the problem, but who knows when we're
talking about HTTP/1.1 TLS Updates [RFC 2817] for SSL transparent proxy
All-in-all, I think Henrick would like this problem, any takers?
If you have a solution, hit me with an E-mail: email@example.com